Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
0
Helpful
4
Replies

NAC wireless options

ciscors
Level 1
Level 1

‎09-12-2007 02:02 PM - edited ‎02-21-2020 01:40 AM

I'm aware of two options to deploy NAC in a wireless network - Real IP and virtual gateway

Which one is more commonly deployed? Are there any advantages or disadvantages of either of these?

Thank you

0 Helpful
4 Replies 4

umedryk
Level 5
Level 5

‎09-18-2007 01:19 PM

Consider the following design guidelines when implementing NAC with a CAS:

Use different SSIDs for employees and guest wireless users

Use 802.1X authentication and strong encryption (WPA with TKIP/MIC or WPA2 with AES) for the internal users

Use fast secure roaming for internal users (CCKM required, available with LEAP and EAP-FAST)

Establish open authentication for guest and broadcast the guest SSID

Use the controller to terminate the wireless traffic on a guest wireless LAN interface

Specify DHCP address assignment option for the guest wireless LAN interface to allow only clients with DHCP addresses (and not static IP addresses) to receive traffic

Apply security policies to the wireless traffic on the wireless LAN interface guest

0 Helpful

ciscors
Level 1
Level 1
In response to umedryk

‎09-18-2007 01:24 PM

1) should i still pass guest traffic through the cas?

2) do you typically match roles to AD groups for authentication?

3) do i define access lists on core switch or the cas itself?

thx a lot

0 Helpful

pmccubbin
Level 5
Level 5
In response to ciscors

‎10-04-2007 09:30 AM

Hi Rajiv,

Two ideas to keep in mind:

1. When you are implementing wireless and the NAC Appliance, the CAS must be deployed in-band. This currently is the only supported option.

If your plan is use use H-REAP. This protocol is not currently supported by NAC in either In-band or Out-of-Band deployments.

In an in-band deployment, the NAC Appliance server is always inline with user traffic-before, during, and after authentication, posture assessment, and remediation. The CAS securely controls authenticated and unauthenticated user traffic by managing traffic policies based on protocol/port or subnet, providing bandwidth policy management based on shared, or per-user bandwidth, or using time-based sessions and heartbeat controls.

To answer your other questions:

Matching roles to AD groups is a good idea for authentication.

You would define ACLs on the router and not on the CAS.

Hope this helps.

Paul

0 Helpful

ciscors
Level 1
Level 1
In response to pmccubbin

‎10-05-2007 06:43 AM

1) Why do you suggest defining ACL's on the router and not the CAS? The CAS can catch traffic before it gets to the router

2) I'm a little confused about authentication. Should I bother authenticating at the controller level using 802.1x or simply use static WPA2 keys? The CAS will then authenticate the user using back-end AD

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card