I'm testing out Cisco Cat9300 switches and ISE functionality. One requirement is to configure and test AAA, and determine how secure the configuration is. For IoT devices, we're utilizing DHCP profiling to identify them and place them in a VLAN with a DACL. One thing that bothers me about using DHCP profiling alone for authentication is that it would be very trivial to spoof the MAC/IP of the device and connect to the network, assuming there is no way of enforcing the device to use DHCP. The DACLs will be very restrictive, but I still wonder if I shouldn't take it further than just DHCP profiling, or even bother with DHCP profiling. I'm trying to find a reasonable compromise between security and ease of access/management. Any thoughts?
No comments:
Post a Comment