Designing Access Controls
Lay Out the Network
correct EAP type. You should balance the greater security with the increased number of calls the IT staff may need to field. If guests are only accessing the Internet, 802.1X is probably unnecessary.
■This zone usually consists of a changing pool of endpoints, often con- trolled by outsiders. Tracking the MAC addresses may be difficult or impossible.
■Hackers can easily discover valid MAC addresses by snooping wireless traffic.
For these reasons,
Guest Access. You have several options for granting guests in the public wireless zone access to the network without having to inform them of credentials:
■For any AP, you can customize the
■If you are using the Wireless Edge Services Module, you can add the resources for unauthenticated users to an Allow list.
You can specify up to 10 IP addresses on this list; choose another option if guests will require more resources.
■If you are using the AP 420 or AP 530,
Encryption. Often, public wireless zones do not provide encryption at all. However, as you learned in Chapter 1: “Access Control Concepts,” you might add encryption for higher security despite the fact that the guests must then enter another password.
Endpoint Integrity. There are many reasons to enforce endpoint integrity in a public wireless zone: you do not know what malware the endpoints have picked up on another network, nor what malware they might continue to collect by not being patched or running a firewall. However, you should take care to set policies that a guest can be expected to meet: for example, being free of viruses and other malware.
