Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
5
Helpful
3
Replies

Cisco NAC Device Filtering Question

Go to solution
tom.gill
Level 1
Level 1

‎04-15-2008 06:58 AM - edited ‎02-21-2020 01:58 AM

Cisco NAC provides support for non-reporting devices such as printers, IP phones, UPSs, etc by adding them to a filter list.

This allows these devices to basically bypass the NAC system and just exist on the network.

My question is this. If we exempt these devices from NAC assessment, where is the security in that? What stops someone from putting a printer's MAC address on his laptop?

I can't imagine this issue hasn't been brought up before but I can't seem to find an answer.

Thanks in advance for your response!

Tom

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gojericho0
Level 1
Level 1

‎04-15-2008 09:06 AM

Yup, thats been a big criticism with the NAC appliance out of the box. There is no way to prevent MAC spoofing. Cisco has a separate appliance called NAC profiler, which solves this problem but it costs extra.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd806b7d4e.html

View solution in original post

3 Replies 3

Go to solution
gojericho0
Level 1
Level 1

‎04-15-2008 09:06 AM

Yup, thats been a big criticism with the NAC appliance out of the box. There is no way to prevent MAC spoofing. Cisco has a separate appliance called NAC profiler, which solves this problem but it costs extra.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd806b7d4e.html

Go to solution
tom.gill
Level 1
Level 1
In response to gojericho0

‎04-15-2008 12:10 PM

Ok. So I'm NOT the only one in the world who thinks this.

:-)

Thanks for the response.

Tom

0 Helpful

Go to solution
west-david
Level 1
Level 1
In response to tom.gill

‎04-23-2008 07:43 AM

An approach I have used is to segment IP Phones and printers into dedicated VLANs with ACLs allowing only voice or printing traffic. I then configure the filter to place the device in a user role which assigns that device to the right VLAN (in OOB mode). So, if someone spoofs a printer, they will be assigned to the printing VLAN, which only allows printing traffic. The malicious user can still interfere with devices in that VLAN, but they will not gain full network access. Layers....

This is an issue with 802.1X as well.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card