Access Control Concepts

Network Access Control Technologies

Policy Repository

The policy repository stores policies that the PDP draws on to make decisions. Stored policies include access criteria for users such as username and pass- word, valid MAC address, IP address, location, and time of day. Usually network policies are stored as sub-elements within a directory that contains other policy-related information such as user credentials (username/pass- word combinations) and device or network information. A PDP might also store some of these policies itself and refer to a directory server for user credentials.

For a PDP to perform its AAA functions, it needs access to the policy repository. The policy database may be either local (on the same system as the PDP server) or remote (on a different system on the network).

Local Policy Repository. A local policy database can be as simple as a flat file under control of the PDP server, or it can be a more complex local database such as a SQL database or a UNIX password file.

Remote Policy Repository. Remote policy databases are generally supe- rior to local databases because they tend to scale better and offer a central control point for management. They do, however, require additional upfront effort to deploy. That objection may be academic if your organization already has a distributed policy infrastructure in place.

The most common form of a distributed policy database is a directory service. A server that implements directory services identifies all network resources, such as users, servers, peripheral devices, and the policies for dealing with them. In a Microsoft Windows domain, the user and policy database is Active Directory. Other directory services include Novell eDirectory and OpenLDAP.

A PDP such as a RADIUS server can use a directory service in conjunction with a local policy repository. For example, the RADIUS server might query the directory service to check user credentials. After authenticating the user, the RADIUS server must decide for which rights that user is authorized under the current conditions. It checks policies that, while they might originate from the remote repository, might be stored locally instead.

1-14

Page 28
Image 28
HP Access Control Client Software manual Policy Repository