Support User Manuals

Cisco Systems 4.2 Server User Manual

Open as PDF

of 214

2-2

Configuration Guide for Cisco Secure ACS 4.2

OL-14390-02

Chapter 2 Deploy the Access Control Servers

Determining the Deployment Architecture

This section discusses:

• Access types—How users will access the network (through wireless access, LAN access through

switches, and so on) and the security protocols used to control user access; for example, RADIUS,

EAP- TLS, Microsoft Active Directory, and so on.

• Network architecture—How the network is organized (centrally through campus LANs, regional

LANs, WLANs, and so on.

This section contains:

• Access Types, page 2-2

• Placement of the RADIUS Server, page 2-11

Access Types

This section contains:

• Wired LAN Access, page 2-2

• Wireless Access Topology, page 2-5

• Dial-up Access Topology, page 2-9

Wired LAN Access

You can use wired LAN access in a small LAN environment, a campus LAN environment, or a regionally

or globally dispersed network. The number of users determines the size of the LAN or WLAN:

The wired LAN environment uses the following security protocols:

• RADIUS—RADIUS is used to control user access to wired LANs. In broadcast or switch-based

Ethernet networks, you can use RADIUS to provide virtual LAN identification information for each

authorized user.

• EAP—Extensible Authentication Protocol (EAP), provides the ability to deploy RADIUS into

Ethernet network environments. EAP is defined by Internet Engineering Task Force (IETF) RFC

2284 and the IEEE 802.1x standards.

The 802.1x standard, also known as EAP over LAN (EAPoL), concerns the part of the wider EAP

standard that relates to broadcast media networks. Upon connection, EAPoL provides a

communications channel between an end user on a client LAN device to the AAA server through

the LAN switch. The functionality is similar to what Point-to-Point Protocol (PPP) servers on

point-to-point links provide.

By supporting complex challenge-response dialogues, EAP facilitates the user-based authentication

demands of both conventional one-way hashed password authentication schemes such as Challenge

Handshake Authentication Protocol (CHAP) and of more advanced authentication schemes such as

Transport Layer Security (TLS), or digital certificates.

Size Users

small LAN 1 to 3,000

medium-sized LAN 3,000 to 25,000

large LAN 25,000 to 50,000

very large LAN or WLAN over 50,000

previous next