So last week I started preparations for implementing 802.1x and MAC-auth on our wired network, and we’re also assigning the VLANs dynamically. We have Aruba access switches and 2 ClearPass appliances, and with the help of a very skilled consultant the first tests are going really well.
Now, this post isn’t actually about technical issues, it’s more about emotions. I have been a network engineer for over 15 years, and pretty good at my job. When I wanted to connect a device to my network, I configured a switchport in a vlan, connected the device and everything worked. This is how I’ve done my job for over the past decade.
The change that is coming to my infrastructure demands a fundamental new way of managing the network. All ports have an identical config, and I have to assign devices to VLANs (or “user roles”) in ClearPass, and ClearPass will tell the switch how to behave.
To be honest, I am as scared as hell for what’s coming. I truly believe that it will all work wonderful AND we will benefit from the additional security, but the things that can go wrong just blow my mind. What if my ClearPass servers stop working? What if the computer certificate on the clients get messed up? I find the additional complexity pretty daunting, and I worry about when things start falling apart and I can’t get it fixed.
Have you been in a similar situation? How do you deal with this kind of changes? Any tips and tricks on how to mitigate risks for this particular case?
No comments:
Post a Comment