Survey the Network
4-10 Design Planning
thiscase,thethickAPdeploymentfallsintothecategoryofnon‐intelligentedgedeviceswiththe
sameNACimplementationsasanon‐intelligentwirededge.Thesenon‐intelligentAPsmustbe
configuredwithinlineNAC,positioningtheNACControlleratastrategicpointinthe network
upstreamfromthenon
‐intelligentAPswhereitwillimplementtheauthenticationand
authorizationofconnectingend‐systems.
Thin Wireless Deployments
Forthinwirelessdeployments,thewirelessswitchusuallysupportstheauthenticationand
authorizationofthewirelessend‐systemsconnectedtotheAPsonthenetwork.Therefore,thin
wirelessdeploymentscanbeconfiguredwithout‐of‐bandNACusingtheNACGateway,withthe
authenticationandauthorizationimplementedonthewirelessswitch.
Ifthewirelessswitchdoes
notsupportdynamicVLANassignmentviaRFC3580,inlineNACmaybeusedbypositioningthe
NACControllerbehindthewirelessswitchtoimplementtheauthenticationandauthorizationof
wirelessend‐systems.
Remote Access WAN
Inmanyenterprisenetworks,largerremotesitesareconnectedtothemainnetworksiteovera
WANconnection,affordingremoteusersaccesstocorporate resources.Iftheremotesitesare
composedofintelligentedgedevicessupportingtheauthenticationandauthorizationofthe
remotelyconnectedend‐systems,thentheNACGatewaycan
beutilizedinthedeploymentof
out‐of‐bandNAC.TheNACGatewaymaybepositionedeitherlocallyattheremotesite(which
maynotbepractical)oratthemainsiteoftheenterprisenetwork.Eitherway,theNACGateway
leveragestheauthenticationandauthorizationcapabilitiesoftheswitches
intheremotesiteto
implementnetworkaccesscontrolforremoteusers.
IftheNACGatewayisimplementedatthemainsite,thenitisimportanttoconsiderwhatimpact
aWANlinkdisconnectionwouldhaveontheNACprocessandremoteend‐systemconnectivity.
Itisrecommendedthatswitchesin
remotesitesbeconfiguredwithadefaultVLANorpolicythat
willbeappliedtotheend‐system inthecasethatconnectivitytothemainsitegoesdown.
Iftheremotesitesarecomposedofnon‐intelligentswitches,thentheNACControllercanbe
strategicallypositionedinl inewithtraffic sourced
fromremoteend‐systemstoimplementthe
authenticationandauthorizationofthesedevices.TheNACControllerismostoftenpositionedat
thecentralsiteʹsWANconnectiontotheremotesites.Inthisconfiguration,theNACControlleris
abletoimplementNACformultipleremotesites,whichisimportantwhen
youconsiderthat
someremotesitesmayhaveonlyafewend‐systemsconcurrentlyconnected.
Site-to-Site VPN
Inmulti‐siteenterpriseenvironments,itiscommontohaveaVPNconcentratorlocatedatthe
mainsiteconnectingtoremotesitesviaaVPNtunnel.SimilartotheremoteaccessWANscenario,
theimplementationofout‐of‐bandorinlineNACdependsonthecapabilitiesoftheedgeswitches
located
attheremotesite.Iftheremotesitesarecomposedofintelligentedgeswitches,thenthe
NACGatewaycanbepositionedatthemainsitetoimplementout‐of‐bandNAC.Iftheremote
sitesarecomposedofnon‐intelligentedgeswitches,thentheNACControllercanbepositioned
behind
theVPNconcentratorthatprovidessite‐to‐siteVPNconnectivity.Itisimportanttonote
thattheNACControllermustseetheactualIPaddressoftheend‐systemwhenanend‐systemʹs
traffictraversesit.Therefore,adownstreamdevicefromtheNACControllercannotimplement
many‐to‐oneNAT
orreverseproxyVPN,sothattheIPaddressoftheend‐systemispreservedat
thepointthatthetraffictraversestheNACController.