04-15-2008 06:58 AM - edited 02-21-2020 01:58 AM
Cisco NAC provides support for non-reporting devices such as printers, IP phones, UPSs, etc by adding them to a filter list.
This allows these devices to basically bypass the NAC system and just exist on the network.
My question is this. If we exempt these devices from NAC assessment, where is the security in that? What stops someone from putting a printer's MAC address on his laptop?
I can't imagine this issue hasn't been brought up before but I can't seem to find an answer.
Thanks in advance for your response!
Tom
Solved! Go to Solution.
04-15-2008 09:06 AM
Yup, thats been a big criticism with the NAC appliance out of the box. There is no way to prevent MAC spoofing. Cisco has a separate appliance called NAC profiler, which solves this problem but it costs extra.
04-15-2008 09:06 AM
Yup, thats been a big criticism with the NAC appliance out of the box. There is no way to prevent MAC spoofing. Cisco has a separate appliance called NAC profiler, which solves this problem but it costs extra.
04-15-2008 12:10 PM
Ok. So I'm NOT the only one in the world who thinks this.
:-)
Thanks for the response.
Tom
04-23-2008 07:43 AM
An approach I have used is to segment IP Phones and printers into dedicated VLANs with ACLs allowing only voice or printing traffic. I then configure the filter to place the device in a user role which assigns that device to the right VLAN (in OOB mode). So, if someone spoofs a printer, they will be assigned to the printing VLAN, which only allows printing traffic. The malicious user can still interfere with devices in that VLAN, but they will not gain full network access. Layers....
This is an issue with 802.1X as well.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: