Security Solutions
3-96
Designing Access Controls
Choose RADIUS Servers
Table 3-74. Integrated Server/Proxy to Turnkey Combination for the NAC 800
Choosing between these options is similar to choosing between them for
traditional RADIUS servers (see “Choose Which Devices Will Play the
Role of PDP” on page 3-79):
a. Do you have an existing directory service?
If yes, you should use that directory; choose general or integrated
server/proxy. (The general option tends to be more scalable.)
Note There is one exception: your existing directory service is Active
Directory, and you want to use digital certificates to authenticate
users. The NTLM protocol, which the NAC 800 uses to query Active
Directory, only supports MS-CHAPv2 and PEAP with MS-CHAPv2. So
in this case, you must use the NAC 800’s local database; choose
turnkey server or integrated server/proxy to turnkey server.
If no, choose turnkey server or integrated server/proxy to turnkey
server. (The integrated server/proxy to turnkey server option tends
to be more scalable.)
b. How large is your network?
If you have a large network (over 1000 wired and 500 wireless users
per LAN and over 3000 total users in the LAN), you should add a
directory service and choose the general option.
3. How many NAC 800s does your network require?
The NAC 800’s endpoint integrity services are the limiting factor, not its
RADIUS services. Each NAC 800 (CS or ES) can test up to 3000 endpoints.
Take a closer look at the number of users and endpoints you anticipate in
your network. Although users may shift from location to location, partic-
ularly in a wireless zone, the NAC 800s can respond to requests from any
location, just like any other RADIUS server.
In the PCU example, the APs for the library and the plaza typically support
a maximum of 600 users. The RPs that handle the private wireless zones
can have up to 5000 users at one time, whereas the private wired zone
handles traffic for up to 11,000 users. With 16,600 users, this network
PEPs with Built-in PDPs Proxy PDP with Policy/ Credential
Repository
• AP 530
• Wireless Edge Services Module
NAC 800 managed by IDM and using its local
database