<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: NAC wireless options in Network Security</title>
    <link>https://community.cisco.com/t5/network-security/nac-wireless-options/m-p/846384#M815664</link>
    <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Consider the following design guidelines when implementing NAC with a CAS: &lt;/P&gt;&lt;P&gt;Use different SSIDs for employees and guest wireless users &lt;/P&gt;&lt;P&gt;Use 802.1X authentication and strong encryption (WPA with TKIP/MIC or WPA2 with AES) for the internal users &lt;/P&gt;&lt;P&gt;Use fast secure roaming for internal users (CCKM required, available with LEAP and EAP-FAST) &lt;/P&gt;&lt;P&gt;Establish open authentication for guest and broadcast the guest SSID &lt;/P&gt;&lt;P&gt;Use the controller to terminate the wireless traffic on a guest wireless LAN interface &lt;/P&gt;&lt;P&gt;Specify DHCP address assignment option for the guest wireless LAN interface to allow only clients with DHCP addresses (and not static IP addresses) to receive traffic &lt;/P&gt;&lt;P&gt;Apply security policies to the wireless traffic on the wireless LAN interface guest &lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
    <pubDate>Tue, 18 Sep 2007 20:19:25 GMT</pubDate>
    <dc:creator>umedryk</dc:creator>
    <dc:date>2007-09-18T20:19:25Z</dc:date>
    <item>
      <title>NAC wireless options</title>
      <link>https://community.cisco.com/t5/network-security/nac-wireless-options/m-p/846383#M815652</link>
      <description>&lt;P&gt;I'm aware of two options to deploy NAC in a wireless network - Real IP and virtual gateway&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Which one is more commonly deployed? Are there any advantages or disadvantages of either of these?&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Thank you&lt;/P&gt;</description>
      <pubDate>Fri, 21 Feb 2020 09:40:56 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/nac-wireless-options/m-p/846383#M815652</guid>
      <dc:creator>ciscors</dc:creator>
      <dc:date>2020-02-21T09:40:56Z</dc:date>
    </item>
    <item>
      <title>Re: NAC wireless options</title>
      <link>https://community.cisco.com/t5/network-security/nac-wireless-options/m-p/846384#M815664</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Consider the following design guidelines when implementing NAC with a CAS: &lt;/P&gt;&lt;P&gt;Use different SSIDs for employees and guest wireless users &lt;/P&gt;&lt;P&gt;Use 802.1X authentication and strong encryption (WPA with TKIP/MIC or WPA2 with AES) for the internal users &lt;/P&gt;&lt;P&gt;Use fast secure roaming for internal users (CCKM required, available with LEAP and EAP-FAST) &lt;/P&gt;&lt;P&gt;Establish open authentication for guest and broadcast the guest SSID &lt;/P&gt;&lt;P&gt;Use the controller to terminate the wireless traffic on a guest wireless LAN interface &lt;/P&gt;&lt;P&gt;Specify DHCP address assignment option for the guest wireless LAN interface to allow only clients with DHCP addresses (and not static IP addresses) to receive traffic &lt;/P&gt;&lt;P&gt;Apply security policies to the wireless traffic on the wireless LAN interface guest &lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Tue, 18 Sep 2007 20:19:25 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/nac-wireless-options/m-p/846384#M815664</guid>
      <dc:creator>umedryk</dc:creator>
      <dc:date>2007-09-18T20:19:25Z</dc:date>
    </item>
    <item>
      <title>Re: NAC wireless options</title>
      <link>https://community.cisco.com/t5/network-security/nac-wireless-options/m-p/846385#M815676</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;1) should i still pass guest traffic through the cas?&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;2) do you typically match roles to AD groups for authentication?&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;3) do i define access lists on core switch or the cas itself?&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;thx a lot&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Tue, 18 Sep 2007 20:24:22 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/nac-wireless-options/m-p/846385#M815676</guid>
      <dc:creator>ciscors</dc:creator>
      <dc:date>2007-09-18T20:24:22Z</dc:date>
    </item>
    <item>
      <title>Re: NAC wireless options</title>
      <link>https://community.cisco.com/t5/network-security/nac-wireless-options/m-p/846386#M815688</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi Rajiv,&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Two ideas to keep in mind:&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;1. When you are implementing wireless and the NAC Appliance, the CAS must be deployed in-band. This currently is the only supported option.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;If your plan is use use H-REAP. This protocol is not currently supported by NAC in either In-band or Out-of-Band deployments. &lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;In an in-band deployment, the NAC Appliance server is always inline with user traffic-before, during, and after authentication, posture assessment, and remediation. The CAS securely controls authenticated and unauthenticated user traffic by managing traffic policies based on protocol/port or subnet, providing bandwidth policy management based on shared, or per-user bandwidth, or using time-based sessions and heartbeat controls.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;To answer your other questions:&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Matching roles to AD groups is a good idea for authentication.&lt;/P&gt;&lt;P&gt;You would define ACLs on the router and not on the CAS. &lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Hope this helps.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Paul&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Thu, 04 Oct 2007 16:30:35 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/nac-wireless-options/m-p/846386#M815688</guid>
      <dc:creator>pmccubbin</dc:creator>
      <dc:date>2007-10-04T16:30:35Z</dc:date>
    </item>
    <item>
      <title>Re: NAC wireless options</title>
      <link>https://community.cisco.com/t5/network-security/nac-wireless-options/m-p/846387#M815711</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;1) Why do you suggest defining ACL's on the router and not the CAS? The CAS can catch traffic before it gets to the router&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;2) I'm a little confused about authentication. Should I bother authenticating at the controller level using 802.1x or simply use static WPA2 keys? The CAS will then authenticate the user using back-end AD&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Thanks&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 05 Oct 2007 13:43:08 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/nac-wireless-options/m-p/846387#M815711</guid>
      <dc:creator>ciscors</dc:creator>
      <dc:date>2007-10-05T13:43:08Z</dc:date>
    </item>
  </channel>
</rss>

