Pete, >>Are you only planning to secure unused ports with NAC...???
<<For now yes. The scope of the project is to get ports not identified with any particular machine secure. However, on the horizon we do want to at least have the option for all ports to go through the NAC for authentication. >>The only reason I asked this is if you don't secure all your ports with NAC the potential an intrusion still exists. A nonemployee could simply unplug a workstation, printer, copier etc and would bypass NAC. You have stated that NAC is not your primary line of defense so perhaps you have this covered. ************************************************** >> Do you currently have specific VLANS or Subnets for the unused ports/Employees...??? <<No. Right now unused ports are just "on" the network. Employees are segmented into departmental VLANs. >>I just wanted to make sure that you did not have a flat network. You would be unable to secure only some ports in this type of deployment. Sounds you have this covered. ************************************************** >> Is there a reason you want to go OOB...??? <<Right now I guess we want to do that because of scaling. We are a fast growing company and by keeping the traffic out of band we won't overwhelm the CAM. Also if the OOB CAS fails we still want people to log on. This project is one line of defense not a primary line of defense. >>The reason I asked this is an InBand deployment is much simpler and easier to deploy and manage. There are trade offs with any deployment. OOB by nature fails open but requires a lot more planning, setup and administration. IB is easy to setup and administer but can be problematic if CAS/CAM failures occur. I have scripts written which effectively remove NAC from the network. I had a CAM failure a while back and HA failed. I was able to run these scripts at 19 facilities in less than 15 minutes. The key is being prepared. We use SSO and have our CASs set to "Fail Open". The problem is when the CASs can't communicate with the CAM new users are unable to authenticate. Users already authenticated experience no loss of connectivity. I'm not sure what volume of data you have day to day. For an example my office has ~150 users running L2 IB and we've never had more than 40% utilization on the CAS ports. All our remote CASs are managed with 1 CAM HA pair. There are 500+ active users at any given time and the CAM is barely taxed. One thing to note is you need to make sure you run VOIP and other data intensive services on a non-NAC managed VLAN. I hope some of this helps. Let me know if I need to clarify anything. Chris
