802.1x would help here, although it is a big undertaking. It would be nice if the NAA itself also provided the 802.1x supplicant natively. 802.1x would also help with attacks with users in the unauthenticated role from rogue hosts. Basically without using 802.1x and without using Private Vlans or 'switchport protected', any user assigning themselves an IP, whether static or dynamically obtained can attack your hosts (ARP POISON usually) or attack your LDAP Server if using AD SSO since LDAP ports are opened to the unauthenticated users.
Thanks
Jim
Jim Thomas
Area Networks, Inc.
CCIE Security #16674
CCSP,CCNP,CCDP
[email protected] <mailto:[email protected]>
Office: 650-242-8050
Cell: 916-342-2265
From: Cisco Clean Access Users and Administrators
[mailto:[email protected]] On Behalf Of Don Click
Sent: Thursday, February 19, 2009 6:06 PM
To: [email protected]
Subject: Re: Session Timer
Interesting. I don't think Clean Access would have helped much anyway -
since it would have quarantined the user on wireless, not wired.
I agree that if a user is associated to an AP, but not attempting to
Authenticate, there should be some mechanism either in the AP's (not
likely) or in CCA that, after a period of time, drops/blocks/moves the
user.
Im actually going to have to think about this one, as I am about to
start looking at configured our CCA solution for OOB Wireless/Wired.
(currently, we use in-band for VPN access only.)
From: Cisco Clean Access Users and Administrators
[mailto:[email protected]] On Behalf Of Speight, Howard
Sent: Thursday, February 19, 2009 8:24 AM
To: [email protected]
Subject: Re: Session Timer
>Question - Are you using clean access for both WIRED and Wireless?
Only in the Residence Halls
>If its only on wireless, what security to you enforce on the wired
lan?
Group policy and logon scripts for Domain machines, filters on router
and switch interfaces.
From: Cisco Clean Access Users and Administrators
[mailto:[email protected]] On Behalf Of Speight, Howard
Sent: Wednesday, February 18, 2009 2:36 PM
To: [email protected]
Subject: Re: Session Timer
That makes sense, then there is no reason to set that timer...
Food for thought...
We had an unauthenticated client machine on the wireless network, using
wired, but associated with an AP and holding a DHCP IP address. For
hours that machine was conducting little raids here and there trying to
compromise user accounts. Once blocked in the Filters, activity ceased.
What I was trying to accomplish was if the client machine was holding an
IP but not authenticating, I wanted to send them to Quarantine or
anywhere after ten minutes. How were they able to conduct the raids, the
authentication ports are open to the AD controllers in the
Unauthenticated Role...
From: Cisco Clean Access Users and Administrators
[mailto:[email protected]] On Behalf Of Jim Thomas
Sent: Wednesday, February 18, 2009 14:20
To: [email protected]
Subject: Re: Session Timer
Unauthenticated Role, it's a loop and es no bueno.
Thanks
Jim
Jim Thomas
Area Networks, Inc.
CCIE Security #16674
CCSP,CCNP,CCDP
[email protected] <mailto:[email protected]>
Office: 650-242-8050
Cell: 916-342-2265
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[email protected]] On Behalf Of Speight, Howard
Sent: Wednesday, February 18, 2009 1:38 PM
To: [email protected]
Subject: Session Timer
Let's say the Session Timer is set for ten minutes on the
Unauthenticated Role and the user does not authenticate within that ten
minute period, where does the user go?
Thanks, Howard
<<image001.gif>>
<<image002.gif>>
<<image003.jpg>>
<<image004.jpg>>
<<image005.png>>
