Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco NAC Device Filtering Question

Cisco NAC provides support for non-reporting devices such as printers, IP phones, UPSs, etc by adding them to a filter list.

This allows these devices to basically bypass the NAC system and just exist on the network.

My question is this. If we exempt these devices from NAC assessment, where is the security in that? What stops someone from putting a printer's MAC address on his laptop?

I can't imagine this issue hasn't been brought up before but I can't seem to find an answer.

Thanks in advance for your response!

Tom

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Cisco NAC Device Filtering Question

Yup, thats been a big criticism with the NAC appliance out of the box. There is no way to prevent MAC spoofing. Cisco has a separate appliance called NAC profiler, which solves this problem but it costs extra.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd806b7d4e.html

3 REPLIES
Bronze

Re: Cisco NAC Device Filtering Question

Yup, thats been a big criticism with the NAC appliance out of the box. There is no way to prevent MAC spoofing. Cisco has a separate appliance called NAC profiler, which solves this problem but it costs extra.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd806b7d4e.html

Community Member

Re: Cisco NAC Device Filtering Question

Ok. So I'm NOT the only one in the world who thinks this.

:-)

Thanks for the response.

Tom

Community Member

Re: Cisco NAC Device Filtering Question

An approach I have used is to segment IP Phones and printers into dedicated VLANs with ACLs allowing only voice or printing traffic. I then configure the filter to place the device in a user role which assigns that device to the right VLAN (in OOB mode). So, if someone spoofs a printer, they will be assigned to the printing VLAN, which only allows printing traffic. The malicious user can still interfere with devices in that VLAN, but they will not gain full network access. Layers....

This is an issue with 802.1X as well.

165
Views
5
Helpful
3
Replies
CreatePlease to create content