Access Control Concepts
Network Access Control Technologies
Access Control Rights—Dynamic Settings
The overview of “Authorization” on page
Keep in mind that you can set up these access controls in one of two ways:
■Manually
■Dynamically as a part of the AAA
VLANs
VLANs divide users and other network devices into separate Layer 2 broadcast domains, each isolated and relatively secure from the others; they are a fundamental way to group and control users. Traffic cannot cross a VLAN (subnet) boundary unless forwarded by a router, which can filter the traffic appropriately with ACLs.
Traditionally, users are assigned to VLANs statically. That is, each user has a single port at which he or she is expected to remain, and the user’s port is actually assigned to the VLAN. If the user accesses the network through a different port, he or she might be in a different VLAN. And in a wireless network, all users that access the WLAN find themselves in the same VLAN.
The traditional model is no longer adequate for many networks because users access the network through many different ports. For example, although employees often connect to the network from the port at their desk, they might also connect from conference rooms or even a remote location. In addition, an AP, in the
Your access control design and your VLAN design interconnect because the network access control solution helps ports configure themselves for VLANs dynamically. When a user is authorized to connect to the network, he or she is also authorized for the correct VLAN, as determined by the authentication server and enforced by the PEP.
Here is another advantage of dynamic VLANs: you can create rules to assign users to different VLANs under various conditions. For example, you might create one VLAN for users accessing the network during work hours and a different VLAN for
