We are in the process of setting up a test deployment of 802.1x wired
authentication on our Cisco 3750 edge. Our goal is to eventually authenticate
every port on campus and have the wired and wireless user experience more
consistent.
For our test we are using Cisco's NGS for guest account creation and for the
captive portal fall-back if 802.1x authentication fails. We are using ACS as
our radius server and Active Directory authentication directory. So far this
piece of the test is working as desired. Our next part of the test is to
integrate NAC into the equation. We would like to be able to posture selected
ports (when we see suspicious traffic patters from a port) and we would like to
have the ability to posture selected subnets periodically (rolling NAC-outs?).
Does anyone have something similar working in their environment? Have you
found a way for the Cisco edge to send the CAM the results of the 802.1x
authentication to allow SSO to work similar to how the WLC's function. What is
the best way to do "rolling NAC-outs" without having to completely restructure
each network every time we want to deploy NAC across a subnet? We don't want
users to have to change IP addresses, so is IB Virtual Gateway our only option?
If any of you can add some insight I would appreciate it.
Thanks,
Michael Simpson
Network Engineer
Utah Valley University
