Security Solutions
3-52
Designing Access Controls
Choose the Endpoint Integrity Deployment Method
An exception might be when you enforce Web-Auth on wireless LANs
(WLANs). You can use the inline deployment method if the wireless network
meets these requirements:
■ Traffic from the wireless network is forwarded into the rest of the network
at one or two choke points:
• You are using a Wireless Edge Services Module, which can act as a
choke point.
• The APs connect to a single switch or a couple of switches, which can
act as choke points.
■ Only one virtual LAN (VLAN) exists on the wireless network (all WLANs),
associated APs, and switches.
MAC-Auth
If you have selected MAC-Auth as the only access control method in a zone,
it is probably because the network infrastructure devices do not support
802.1X. Check other capabilities on the network infrastructure devices. As
long as they are capable of receiving dynamic VLAN assignments from the
RADIUS server, the NAC 800 can use the 802.1X deployment method for the
zone. If the switches and APs cannot receive dynamic VLAN assignments, you
must choose a different method—almost always DHCP.
Often you select MAC-Auth as the access control method for headless devices
or even gaming devices in a zone that otherwise enforces 802.1X. In this case,
you can use the 802.1X endpoint integrity deployment method for the entire
zone.
Table 3-34 summarizes the best method of deployment depending on the
access control method.