Messages

got an email system for that, using categories in outlook, categorize things I need to work on via email responses, either hot (red), medium (yellow) or low(green) placed in a sub-solder, and rotate through on a first come first serve basis, so when all my hot stuff gets to a point where I can no longer work on stuff, e.g.  waiting on others for something, I start on the medium stuff, then move to the low, I refill the queues first thing, and then again at lunch, after lunch I'll start working on the hot stuff again. don't hit the low queue too often, but then that's the point, it's low priority anyway.

Beautiful. I'm going to start doing this!

[try]

All concepts I'm very familiar with, just never heard of any place that re-profiled devices anywhere near as often as you're doing.

Personally, I prefer to approach it by limiting access to/from the connected endpoint with the idea of minimizing the impact of any endpoints that might get compromised/spoofed/disgruntled employee/etc. I'm also combining that with netflow data to try and identify suspicious behavior. I say try because as always, these things take a massive amount of initial tuning and constant on-going tuning to minimize the number of false positives and false negatives.

I always try to approach NAC and network security in general with the perspective of "how would I protect this network from myself, if I got fired tomorrow" then try to protect against that.

You could always limit the attack footprint of the printer by only allowing HTTP/HTTPS access from printer admins and the NAC NMAP scanner, etc. Perhaps that would allow you to scan less often.

Question about your point where a device/user gains certain network authorization based off of initial device profile then somehow changing it's device profile while still keeping the original network access. I guess I'm failing to see a real world scenario where a NAC product wouldn't already be handling the scenario without re-profiling the device so frequently. Could you elaborate?

Do the scans seem to have a cumulative effect on the printers? Meaning, is the problem only during an NMAP scan or does it persist even after the scan is complete?

I do the same thing with printers, including HP printers. Never noticed nor heard of any issues related to it though. But I'm not scanning the printers very often either.

I'm curious. Why are you fighting this battle with them?

Very interesting. I'd like a copy if you don't mind. I already have some ideas to customize it already.

They've probably been part of a botnet for awhile now.

My new frustration - In a load balancing configuration what would you think src-ip-hash option would do? Would you change your mind if I told you there was also an option called src-ip-only-hash? Just like taking a multiple choice test. Read all the answers and pick the most correct one.

I can see how that might cause a lot of people to use the wrong one.

The problem with the multiple choice test is if you don't know all the available options, someone might think they were making up fake options to throw them off.

I got my hands on APIC-EM with the IWAN app for an IWAN deployment. It was a horrible mess at the time, about 1.5 years ago. I've been following the release notes and might upgrade to the latest version and play around with it again soon.

ISE can do a lot of things, if you can narrow down what it is your organization is going to do with ISE it'll be easier to get up to speed. Are you getting ready for 802.1x deployment, are you needing to setup just guest wireless at the moment, or you just needing to learn the ACS replacement portion?

I would STRONGLY recommend a third-party 802.1X supplicant for Windows. The one Microsoft ships is NOT production-ready.

I'm just curious, what are some of the biggest issues you've run into using the Windows supplicant?

Code Select Expand

snmp trap link-status Will only send traps notifying you of link up/down.


I believe

Code Select Expand

mac address-table notification mac-move will only send a syslog message. I'm not aware of any equivalent for snmp traps related to mac moves on NX-OS but the NAC product you're using should be able to use syslogs right?

My biggest headache with NAC has been trying to get the first levels of support to go through their checklists before kicking it up to me.

Did you verify the Zero Wired Autoconfig service is running? Nope.
Did you check that the machine has the correct 802.1x configuration settings applied? Nope.
Is the printer configured with the settings required to pass profiling? deer in headlights look.
Where's your checklist? What checklist?

Late reply 

I did something like this once but it was pretty platform dependent. Using an F5 VIP you can enable route advertisement for the VIP /32, but only when all virtual servers using that VIP are available. Then use OSPF on the F5 to advertise the VIP into the network.

VIP goes down, F5 withdraws the route from OSPF. VIP comes alive, F5 advertises the /32 through OSPF.

If this wasn't for an F5 then forget everything I said.