Designing Access Controls
Choose the Endpoint Integrity Deployment Method
traffic mirroring, traffic can be mirrored from a local switch to a remote switch. This gives you greater flexibility in placing your NAC 800 in an 802.1X deployment. (For more information, see “NAC 800 as the RADIUS Server” on page
For the DHCP deployment method, you must be using DHCP, which should not be a barrier for a network of any size.
The inline deployment method requires no specific capabilities on the network infrastructure devices; it does require, however, a network design with stra- tegic choke points at which the NAC 800 can be placed. For this reason, the inline deployment method is usually used to test remote endpoints in conjunc- tion with another deployment method for local endpoints.
Example
Considering only the capabilities and layout of the existing network infrastruc- ture, the PCU network administrators select the deployment methods shown in the first row below. (All existing switches and APs support 802.1X, and switches support mirroring.)
Again, however, the administrators remember the overriding
Table 3-38. Deployment Method by Existing Network Infrastructure
Factor | Private Wired | Public Wired | Private | Public Wireless | Remote |
|
|
| Wireless |
|
|
|
|
|
|
|
|
Existing network | 802.1X | 802.1X | 802.1X | 802.1X | Inline |
infrastructure |
|
|
|
|
|
Existing network | 802.1X | DHCP | 802.1X | DHCP | Inline |
|
|
|
|
| |
control method is considered |
|
|
|
|
|
|
|
|
|
|
|
Connection Type
Connection type is usually a factor only if you have remote connections. The inline deployment method is ideal for these remote connections because incoming traffic typically enters the network through one point only: the edge router or VPN gateway. (As mentioned earlier, it is also possible to use inline for wireless networks, although it is not typically recommended.)
