
Designing Access Controls
Lay Out the Network
Access Control Method. For truly public environments, 802.1X is generally not used because each computer must run 802.1X supplicant software. Pro- viding and administering supplicant software for guest users is cumbersome and expensive enough to make
Workstations that belong to the organization can authenticate with either the
Members of the public bring laptops, which are plugged into switch ports and authenticate with
Guest Access. Depending on how public your public wired zone is, you may not want to have to inform guests of the correct credentials. You have several options:
■You can create an unauthenticated VLAN that grants limited access to users that fail to authenticate.
■You can customize the
VLAN Assignment and Other Dynamic Settings. You can set up the
VLAN assignment in two ways:
■The switch dynamically configures the port of a successfully authenti- cated MAC address or user for the authenticated VLAN. You set the authenticated VLAN ID statically, and it applies to all authenticated users and devices.
This option may be suitable for the public wired zone because all guests receive the same level of access. However, if an employee attempts to use the port, he or she will also receive guest access.
■When the RADIUS server authenticates a user (or MAC address) success- fully, it dynamically assigns the user to a VLAN by changing the configu- ration of the switch port.
This option provides more flexibility: different types of users can connect to the port and receive different rights. In addition, you can assign other dynamic settings, such as ACLs and rate limits.