Security Solutions
3-141
Designing Access Controls
Lay Out the Network
The NAC policies you enforce in the wired private zone might be more
stringent than those in public zones. Users in the private zone typically have
greater access to network resources, so you have more to protect in this zone.
The NAC policies also provide opportunities to enforce company policies that
might otherwise be ignored.
For the endpoint integrity testing method, either the NAC EI agent or the
agentless method is suitable. You might choose the agentless method if all
endpoints are members of a Windows domain.
VLAN Assignment and Other Dynamic Settings. A successfully authen-
ticated user is assigned to the user VLAN specified for that user in RADIUS
server policies. As you now know, IDM makes it easy to create policies for
VLAN assignments and other rights, and these rights can be based on criteria
beyond identity.
An unauthenticated user is either denied all access or placed on the unauthen-
ticated VLAN.
Note In an 802.1X environment, unauthenticated users receive access to the unau-
thenticated VLAN as soon as they plug into a port. In contrast, unauthenticated
users in a MAC-Auth or Web-Auth environment have access to the unauthen-
ticated VLAN only after failing the authentication process.
Choose Switches. As in the public wired zone, the private wired zone
features direct wired connections between users and switches, which are the
PEPs. For this zone, you should choose a switch that supports 802.1X access
and allows dynamic reconfiguration of ports. (See Table 3-114.)
If you expect your network to grow, a chassis switch such as the 5300xl or
5400zl is often a good choice. Both of these switches support 802.1X authen-
tication and access dynamic settings.