Hey All,
Looking for some guidance on whether or not to employ a full 802.1x solution or instead opt for something simpler, or something else entirely..
The environment I look after is predominantly cisco, and has many edge switches in publicly accessible environments. Currently, most edge ports are open & configured with vlans that are able to access a broad range of system & network resources.
Rather than just shutting down said ports, I'm looking at this as an opportunity to lock down and secure the edge.
Obviously 802.1x comes to mind, but, there is some complexity involved in 802.1x, which makes me hesitate. Any complex solution requiring too many man-hours is not what I'm after.
It's important to note my org has an existing Clearpass installation running TACACS for switch mgmt auth. It just needs updating and most likely new licensing..
So onto my question. Aside from dot1x, and leaning towards MAB - is it possible to simply load in all the MACs within our network into Clearpass (endpoints or static host lists), and authenticate via Radius/TACACS, while NOT assigning a vlan from clearpass? Instead using local vlan assignment already on the port?
This would provide a level of security while also reducing complexity due to a lack of mac > role > vlan assignment.
Essentially using MAB as a barrier to accessing the configured vlan unless authenticated.
I'm struggling to find any info on this particular scenario online..
I'm aware this is not necessarily a water-tight solution re security (eg mac spoofing), but I'll reiterate that I want to avoid too much complexity. In my mind it is better than what is in place currently (nothing), and will enable our apps/system guys to add devices via Clearpass (easy) without worrying about upskilling them on switch access/cli if we were to instead just rely on port-security.
If there is another solution I'm missing, blast me.
Appreciate your thoughts in advance. If I've left our any crucial info, please let me know.
No comments:
Post a Comment