1. When you are implementing wireless and the NAC Appliance, the CAS must be deployed in-band. This currently is the only supported option.
If your plan is use use H-REAP. This protocol is not currently supported by NAC in either In-band or Out-of-Band deployments.
In an in-band deployment, the NAC Appliance server is always inline with user traffic-before, during, and after authentication, posture assessment, and remediation. The CAS securely controls authenticated and unauthenticated user traffic by managing traffic policies based on protocol/port or subnet, providing bandwidth policy management based on shared, or per-user bandwidth, or using time-based sessions and heartbeat controls.
To answer your other questions:
Matching roles to AD groups is a good idea for authentication.
You would define ACLs on the router and not on the CAS.
1) Why do you suggest defining ACL's on the router and not the CAS? The CAS can catch traffic before it gets to the router
2) I'm a little confused about authentication. Should I bother authenticating at the controller level using 802.1x or simply use static WPA2 keys? The CAS will then authenticate the user using back-end AD
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :