I'm looking at 802.1X to improve our internal network's security posture to prevent unauthorized access by non-authorized users. The solution I am looking at is 802.1X only, not any vender's NAC solution which rides upon 802.1X, but 802.1X solely. We currently have no plans nor budget for Cisco's NAC appliance, Clean Access, CSA, or any other type of similar program. Out systems are XP or Vista, our JetDirect's purchased over the years have 802.1X capability per HP's specs. I have about 3,500 desktops.
I had initially considered having the switches query a radius server (like ACS for example)which would in turn query the Windows AD for account authentication. This would prevent those without an account access to the network via a switchport.
I've been looking at some of the ways to perform this and it looks like some people say the best way (for security's sake) to actually utilize a certificate authority (internal CA) to authenticate user access in lieu of the username and password. Keep in mind, our current AD password policy requires a username's password change every 60 days, 8 chars or more, requiring uppercase, lowercase, and a number in that password. This is much stronger than it used to be.
So, I'm on the fence here and I am in the early stages of exploration. Can some of you tell me what you chose to do and why?