A client of mine has corporate clients setup with 802.1x authentication. Is that sufficient and secure by itself. I Would like to put these users in the DMZ and ensuring LAN access via VPN (authentication using acs / ad integration) be a better design? Any cisco design documents that support or negate my design? Any best practices docs that support this?