I have a customer with 5 small remote locations ~ 10 users at each site. They are connected to HQ over a managed MPLS VPN solution.
HQ consists of a single 4507R which services ~ 150 users and has multiple internal segments for HR, Sales, etc.
The customer would prefer to have a single NAC server and manager located in the data center for simplified management and access. However, based on their design I have recommended a NAC server at each site and one for HQ running in OOB mode.
Can someone please provide some insight on this setup? My thinking is that running L3 inline mode for all of the remote sites and HQ would be to complex to configure and manage. By placing a NAC server at each remote site I can run OOB and simplify the configuration across the network.
This is probably not too bright, but if you can aggregate all the remote traffic in front of a CAS, you could do an out of band virtual gateway type config. I would imagine though, that there might be issues with latency across WAN links that might make a layer 3 implementation a better choice.