I know the issues with MAC authentication. The solution Avaya gives us is the best thing we have at the moment for these devices. At least it locks a MAC address to a specific port on the switch and any other port you try the MAC address on will block. And for our company is not very big we think that the changes of anyone hijacking a MAC address on the fixed network in one of the work area's is very small. And the problem is on the agenda, so anything new we buy in the future will not have this problem. Jan Hugo On 03/01/2015 10:37 PM, Adam Bishop wrote:
On 1 Mar 2015, at 20:53, jan hugo prins <jhp@jhprins.org> wrote:
Could you tell me a solution that works where I can integrate devices that don't do 802.1x in an environment where all ports need 802.1x? There isn't one. The issue with using the MAC as a credential is that the credentials for getting on to your network is *literally* stuck to the side of the device for everyone to read (and can be sniffed in seconds using a tap).
It's worse than having open ports, as you end up believing that because you have dot1x on all edge ports you have better security, and also costs you time and money to administer.
Put anything that can't do dot1x in an isolated part of the network and use something like PVLAN.
Thanks,
Adam Bishop
gpg: 0x6609D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html