On 02/03/15 10:37, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
Put anything that can't do dot1x in an isolated part of the network and use something like PVLAN.
or work in an enterprise environment and realise you cant just do things like that ;-)
Precisely. Real networks - like real security - are full of compromise, ideally based on an evaluation of cost-benefit. Manually patching thousands of 802.1x-incapable devices to separate switches, and manually maintaining the VLANs on those ports, is not a sensible decision for most organisations. The huge overhead this places on adds/moves/changes, the need to purchase and maintain infrastructure, the cognitive costs involved in dealing with separate infrastructure... the list goes on. In an ideal world, we'd all be using 802.1x on the wired side, it would be immune from a layer2 MITM attack, and it would be using a sensible EAP method, which could provision and update credentials in-band. In the real world, hardly any printers or SCADA devices do 802.1x, wired-side 802.1x can be trivially MITM without MACSEC, and the EAP method all suck. So, people look at the situation and make the quite reasonable decision to just use MAC "auth" and be done with it. And you know what? It works pretty well for extended periods of time, and they conclude - quite correctly - that the additional cost of wired 802.1x provides little additional benefit. It's not like we're all doing authenticated DHCP - so we're all doing "mac auth" in some form....