Designing Access Controls
Choose RADIUS Servers
4.Does your organization already use IAS for other functions?
If you already use IAS, there is probably no strong reason to use a different server for RADIUS functions. But if your organization does not currently use IAS, the NAC 800 may be a better choice for your RADIUS needs.
5.Have you decided to enforce endpoint integrity with the 802.1X deploy- ment method? Or do you plan to introduce endpoint integrity in the future?
The NAC 800 should be your RADIUS server. See “RADIUS Servers in a Network With Endpoint Integrity (802.1X Quarantining)” on page
6.Do you prefer a hardware appliance to a software solution?
The NAC 800 can act as a RADIUS server without enforcing endpoint integrity. You might prefer this hardware appliance for several reasons. For example, you might not have a server to devote to RADIUS, or servers might be outside of your control.
RADIUS Servers in a Network With Endpoint Integrity (802.1X Quarantining)
Typically, the NAC 800 should act as the RADIUS server in a network that uses endpoint integrity with 802.1X quarantining.
However, if you already use IAS as the RADIUS server, you might continue to do so. This option simplifies management when you do not use IDM. If you do use IDM, it is probably easier to use the NAC 800 as the RADIUS server.
IAS as the RADIUS Server
See “RADIUS Servers in a Network Without Endpoint Integrity” on page
On each IAS server, you must download and install
The number of NAC 800s that you deploy depends on the number of endpoints that must be tested. Each NAC 800 acting as a Combination Server (CS) can test up to 3000 endpoints. To test more endpoints, deploy a NAC 800 Manage- ment Server (MS) and multiple NAC 800 Enforcement Servers (ESs). The ESs each can test up 3000 endpoints.