Cisco NAC Device Filtering Question

Answered Question

Cisco NAC provides support for non-reporting devices such as printers, IP phones, UPSs, etc by adding them to a filter list.


This allows these devices to basically bypass the NAC system and just exist on the network.


My question is this. If we exempt these devices from NAC assessment, where is the security in that? What stops someone from putting a printer's MAC address on his laptop?


I can't imagine this issue hasn't been brought up before but I can't seem to find an answer.


Thanks in advance for your response!

Tom

Correct Answer by gojericho0 about 8 years 10 months ago

Yup, thats been a big criticism with the NAC appliance out of the box. There is no way to prevent MAC spoofing. Cisco has a separate appliance called NAC profiler, which solves this problem but it costs extra.


http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd806b7d4e.html

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
west-david Wed, 04/23/2008 - 07:43

An approach I have used is to segment IP Phones and printers into dedicated VLANs with ACLs allowing only voice or printing traffic. I then configure the filter to place the device in a user role which assigns that device to the right VLAN (in OOB mode). So, if someone spoofs a printer, they will be assigned to the printing VLAN, which only allows printing traffic. The malicious user can still interfere with devices in that VLAN, but they will not gain full network access. Layers....


This is an issue with 802.1X as well.

Actions

This Discussion