So currently at my job, we run no 802.1x or any type of radius/tacacs server. We are still using port security with sticky mac and a max of 3 addresses per port. We are getting cisco ISE in the near future, but that date is still TBD. Our sysadmins refuse to build a radius server for us, so we are stuck with what we got for now.
One of the networks we run has a vlan for people to BYOD. These people have to get their laptops approved to be on our network by our cyber security team, and then their MAC is added to a list and we verify once they connect whether they can have access or not based on the list of MACs.
When we do this, we either go into cisco prime and look at connected clients, or go into each switch and verify macs that way. If we see a MAC not on the list, we shut down the corresponding port it is connected to.
This is a very tedious and time consuming task, so I am wondering if anyone has any suggestions to make this easier? Is there a way I can do a local database on the switch and have it only allow certain mac addresses? We run sort of a "collapsed core" type network, so its access switches > core switch > firewall > IDS > router. Is there a way we could build a database on the core to only allow a specific list of MAC addresses? Or am I stuck doing things this way until we implement a radius/tacacs server?
No comments:
Post a Comment