NAC wireless options

Unanswered Question
Sep 12th, 2007

I'm aware of two options to deploy NAC in a wireless network - Real IP and virtual gateway

Which one is more commonly deployed? Are there any advantages or disadvantages of either of these?

Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
umedryk Tue, 09/18/2007 - 13:19

Consider the following design guidelines when implementing NAC with a CAS:

Use different SSIDs for employees and guest wireless users

Use 802.1X authentication and strong encryption (WPA with TKIP/MIC or WPA2 with AES) for the internal users

Use fast secure roaming for internal users (CCKM required, available with LEAP and EAP-FAST)

Establish open authentication for guest and broadcast the guest SSID

Use the controller to terminate the wireless traffic on a guest wireless LAN interface

Specify DHCP address assignment option for the guest wireless LAN interface to allow only clients with DHCP addresses (and not static IP addresses) to receive traffic

Apply security policies to the wireless traffic on the wireless LAN interface guest

ciscors Tue, 09/18/2007 - 13:24

1) should i still pass guest traffic through the cas?

2) do you typically match roles to AD groups for authentication?

3) do i define access lists on core switch or the cas itself?

thx a lot

pmccubbin Thu, 10/04/2007 - 09:30

Hi Rajiv,

Two ideas to keep in mind:

1. When you are implementing wireless and the NAC Appliance, the CAS must be deployed in-band. This currently is the only supported option.

If your plan is use use H-REAP. This protocol is not currently supported by NAC in either In-band or Out-of-Band deployments.

In an in-band deployment, the NAC Appliance server is always inline with user traffic-before, during, and after authentication, posture assessment, and remediation. The CAS securely controls authenticated and unauthenticated user traffic by managing traffic policies based on protocol/port or subnet, providing bandwidth policy management based on shared, or per-user bandwidth, or using time-based sessions and heartbeat controls.

To answer your other questions:

Matching roles to AD groups is a good idea for authentication.

You would define ACLs on the router and not on the CAS.

Hope this helps.

Paul

ciscors Fri, 10/05/2007 - 06:43

1) Why do you suggest defining ACL's on the router and not the CAS? The CAS can catch traffic before it gets to the router

2) I'm a little confused about authentication. Should I bother authenticating at the controller level using 802.1x or simply use static WPA2 keys? The CAS will then authenticate the user using back-end AD

Thanks

Actions

This Discussion