100% NAC

Reggle · April 11, 2015, 04:40:07 AM

Random idea, as I currently don't have time for proper research: would 802.1x with MAB (MAC authentication bypass) work to put stuff in a remediation VLAN somehow?

deanwebb · April 11, 2015, 04:46:26 PM

Yes. The remediation VLAN needs to exist on the switch. Basically, the condition should be if the device gets a RADIUS-Rejected, assign it to that VLAN. That VLAN would have access to things needed to get back on the network. Keep in mind that one RADIUS-Rejected is the same as another, so that remediation VLAN will also be where baddies are left to hang out, as well as salesmen from remote locations that never read the emails about needing to upgrade their systems.

deanwebb · January 07, 2016, 09:31:41 AM

KERBUMP

I got 99 problems, and a client issue is all of them.

Just remember that when you're doing a NAC project. If something goes wrong, make a check on the switch config and the NAC system config... if all looks well, then it's a client setting. It's not the proxy, it's not the firewall, it's not the IPS, it's not the switch, it's not the router, it's not the NAC, it's not even the load balancer. It's a setting on the client, possibly the same bad setting on multiple clients. Look at the clients. Look at them good and hard before you start changing anything that's not on a client.

Because if you don't fix the client, you will spend hours chasing your tail in all the places where the problem simply does not exist.

100% NAC

Reggle

deanwebb

deanwebb