Security Solutions
3-35
Designing Access Controls
Choose the Access Control Methods
Table 3-21. Preliminary Decisions for the Access Control Method
One concern for PCU could be that some headless devices and legacy APs
require MAC-Auth. However, the private wired zone can enforce 802.1X on
most ports, but make exceptions for the ports to which the non-802.1X-
capable devices connect. A more critical concern is that the legacy APs
support 802.1X but not Web-Auth, the chosen method for public wireless
zones. Network administrators must replace these APs or swap them for some
APs in the private wireless zone that support Web-Auth.
Table 3-22 lists the access control methods for PCU’s access zones.
Factor Weight Private Wired Public Wired Private Wireless Public Wireless
Security 3 • 802.1X
• Web-Auth for
the
administration
building only
802.1X 802.1X with WPA/
WPA2
802.1X with WPA/
WPA2
User type and
sophistication
• 2 for private
zones
• 3 for public
zones
802.1X Web-Auth 802.1X with WPA/
WPA2
Web-Auth
Administrative
workload
2 Web-Auth Web-Auth Web-Auth Web-Auth
Endpoint
capabilities
3 • 802.1X for all
endpoints that
support it
• MAC-Auth for
headless
devices and
legacy APs
• Web-Auth for
all endpoints
that support it
• MAC-Auth for
headless
devices
802.1X with WPA/
WPA2
Web-Auth
Administrative
control
1 802.1X 802.1X 802.1X with WPA/
WPA2
Web-Auth
Existing
infrastructure
3 802.1X 802.1X 802.1X with WPA/
WPA2
802.1X with WPA/
WPA2
Total • 802.1X for all
endpoints that
support it
• MAC-Auth for
headless
devices and
legacy AP
• Web-Auth for
all endpoints
that support it
• MAC-Auth for
headless
devices
802.1X with WPA/
WPA2
Web-Auth