Unanswered Question
Oct 2nd, 2007

A client of mine has corporate clients setup with 802.1x authentication. Is that sufficient and secure by itself. I Would like to put these users in the DMZ and ensuring LAN access via VPN (authentication using acs / ad integration) be a better design? Any cisco design documents that support or negate my design? Any best practices docs that support this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
b.julin Wed, 10/03/2007 - 04:50

802.1x is secure if you are using the right combination of features -- WPA2 and PEAP-MSCHAPv2 or a certificate based EAP seem to be the industry standard.

If you have a mix of users that should and should not be allowed into the DMZ, the RADIUS server should be able to be configured to send a message along with the authorization accept that will cause the CISCO gear to put the users with DMZ access in a different VLAN, as long as it has a way of knowing which users those are.


This Discussion



Trending Topics - Security & Network