around radius - printers, ip phones and others

A.L.M.Buxey at A.L.M.Buxey at
Mon Jun 1 10:46:46 CEST 2009


> What do you suggest to do with printers, ip phones and other network devices
> wchich can not support 802.1x ?
> What are you doing to secure this backdoor?
> One idea is to identify such devices by MAC but I think it should be
> something else -
> cause someone can disconnect fi printer - change mac addres on pc on the
> same as printer and welcome home :).
> any suggestions?

fortunately our IP Phones do 802.1x... however, they can be dealt with (see below)

most of our printers can 802.1X these days - however, if you ensure that only
a set of 'print servers' can talk to them - and people print to a print
server rather than directly to the network printer then its quite easy to
put those sockets onto a very restricted network that can only
talk to the print servers - then, when leet haxor changes their MAC address
to 'be the printer' they arent going to have much fun on that network....only
being able to talk to printer-1 and printer-2 isnt what they would like.

likewise, phones only need to talk to the main IP PBX(s) and then to each other.
if you ACL the phone VLANs so they can only talk to each other and nothing else
then who would want to be on the phone network? if its mr haxor wanting to
listen into non encrypted calls then extra protection can be layered on -
port privacy, arp inspection et al.


More information about the Freeradius-Users mailing list