NAC != .1x. The 3560 will certainly do the port based auth, and I believe
the 2950 will as well. I have the configs around. It’s pretty well explained in
the config guide, though. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Noah Eiger Thanks all for the thoughts. I
think that the thing I will need to communicate to these folks is simply the
tradeoffs and the risks. They run many apps that force full admin rights on the
workstations and have concluded that this is an acceptable risk. We’ll see what
they say. In the end, I feel okay about it if they are fully cognizant of the
risks and then accept them. Maybe I’ll put something in about double the hourly
rate for cleanup ;-) -- nme P.S. Brian, could you elaborate on
the inexpensive NAC products? I see that IAS will be a RADIUS provider to
802.1x switches. Is there a feature set within the IOS that can handle this
(Catalyst 29xx and 35xx) or is it a separate device? From: Brian Desmond
[mailto:[EMAIL PROTECTED] They’re keeping me a little busy down at the fun factory, so I’m
up pretty late. Actually I just flew back in yesterday from a client so I was
handling backlog. How is .1x cost prohibitive. Have you looked at the NAC products
most major VPN providers have to handle your fears about viruses and such? Also
realize you don’t need to open a lot of the ports representative of that sort
of stuff. Lock it down by job role. From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Thanks,
Brian. Don’t you sleep? It’s late in Chicago ;-) 802.1x is
the direction they are heading. Right now, it is cost-prohibitive. So the
question is less “can I control this access” but “should I”? Is that over-reacting? Again with
the VPN. My thoughts were to push it with an MSI, so I see how to
control its distribution. The question is should I limit it to just the
domain computers? How big is the risk? If the risk from home computers is virus
and malware, how do I justify preventing folks from running it on their home
Macs? Thanks. -- nme From: Brian Desmond
[mailto:[EMAIL PROTECTED] My suggestion is that you implement 802.1x port auth to
implement port based authentication. You can use this to implement guest vlans
with the policy routing you describe. Isn’t the Cisco VPN a MSI? Use Group Policy or SMS if you have
it. You can do some NAC stuff with Cisco VPN as well as the personal firewall
built into it. I don’t see how you plan to prohibit OS X at least – put it on
the guest vlan if you must, but, realize that the marketing, pr, etc people may
live in a Mac world. From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Hi: I am facing some IT policy
questions and wanted to get some perspectives. In each of these areas, I am
trying determine how restrictive I need to be. The client has four sites connected
over high-speed links. I have good backing from management but will undoubtedly
get resistance on some of these. The client is small, under 200
employees with most in one office. Some small field offices are not managed
(i.e., have workgroup networks, often with a small server, but no AD). There
are no SOX requirements and the data are not sensitive (e.g., no credit cards).
Almost entirely Windows XP; all DC’s run W2k3. Any thoughts on these topics
welcome. Connecting to the wired network.
They do not run any IDS or machine-based authentication. Given that, written
policy carries some weight. I want to require all non-domain machines to
connect only to a “public” VLAN that goes only to the Internet. I would apply
this even to staff “personal” computers, those of contractors (including me),
and machines from those field offices that are not on the domain. VPN. They run a Cisco VPN.
I want to distribute the client only to domain-based machines. Others want the
client for their home computers, etc. Other Operating Systems. I
don’t want to allow other OS’s on the network, unless we manage them. But what
is the threat posed by a Linux or OS X box on the network? As always, many thanks. -- nme -- -- -- -- -- |
- RE: [ActiveDir] OT: Securit... Brian Desmond
- RE: [ActiveDir] OT: Se... Noah Eiger
- Re: [ActiveDir] OT... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- RE: [ActiveDir] OT... Brian Desmond
- RE: [ActiveDir... Noah Eiger
- RE: [ActiveDir] OT: Se... Brian Desmond