Security Solutions
3-132
Designing Access Controls
Lay Out the Network
Access Control Method. For truly public environments, 802.1X is generally
not used because each computer must run 802.1X supplicant software. Pro-
viding and administering supplicant software for guest users is cumbersome
and expensive enough to make MAC-Auth or Web-Auth the generally recom-
mended access control method.
Workstations that belong to the organization can authenticate with either the
Web-Auth or MAC-Auth method. (You must choose one or the other for each
port; concurrent operation is not allowed.) For example, a library might
provide several workstations for its patrons. The library does not want those
patrons to bring their own laptops and plug them into the Ethernet ports, so
it uses MAC-Auth to authenticate the workstations.
Members of the public bring laptops, which are plugged into switch ports and
authenticate with Web-Auth. (It is not feasible for network administrators to
add the MAC address for every device introduced into the network.) When the
user opens a Web browser, he or she is directed to enter his or her login
credentials.
Guest Access. Depending on how public your public wired zone is, you may
not want to have to inform guests of the correct credentials. You have several
options:
■ You can create an unauthenticated VLAN that grants limited access to
users that fail to authenticate.
■ You can customize the Web-Auth login page to display a valid username
and password for guests.
VLAN Assignment and Other Dynamic Settings. You can set up the
VLAN assignment in two ways:
■ The switch dynamically configures the port of a successfully authenti-
cated MAC address or user for the authenticated VLAN. You set the
authenticated VLAN ID statically, and it applies to all authenticated users
and devices.
This option may be suitable for the public wired zone because all guests
receive the same level of access. However, if an employee attempts to use
the port, he or she will also receive guest access.
■ When the RADIUS server authenticates a user (or MAC address) success-
fully, it dynamically assigns the user to a VLAN by changing the configu-
ration of the switch port.
This option provides more flexibility: different types of users can connect
to the port and receive different rights. In addition, you can assign other
dynamic settings, such as ACLs and rate limits.