David We previously used a similar method of device/MAC registration via a web form. However, we have recently implemented an Infoblox DHCP/DNS solution that allows us to assign blocks of addresses via MAC OUI filters to these devices, and then in turn apply a Gaming role to these ranges. This has saved us a ton of time/work managing individual device registrations; although we do occasionally have to add a new OUI to the filters as new devices come in. As far as the rule set, we don't want to manage a list of service ports either so we have settled on protecting our Campus resources from this Gaming role and permitting most outbound ports to the Internet. We are L3 Inband for our ResNet so depending on your implementation this may not be an option for you, but it has worked well for us so far.
TimB Towson University From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of McIntosh, David Sent: Thursday, May 27, 2010 10:52 AM To: [email protected] Subject: Gaming Device registration All, We are looking for possibly a new method for the way in which we handle the registration of headless devices such as the Nintendo Wii, Xbox 360, Playstation 3, TiVO, etc. For the last 5 years we have relied on a web-based form that students have accessed to provide registration information including their name, type of system, MAC address and device description. When students filled out the form the MAC address they entered was checked against a range of known MAC addresses to verify what they were registering, and if the range didn't fit they were asked to either correct their typo, or come into our remediation center for verification. In this way we hoped to minimalize the registration of computers as gaming systems in order to bypass CCA. Up until recently we have been fairly successful in maintaining a list of ports to allow open access to, and MAC addresses that correspond to the various systems. Unfortunately, we have reached the point where it is simply impossible to keep up with all the new MAC address ranges for the new systems as they come out to prevent being overloaded with walk-in traffic looking for verification. Furthermore, with the addition of applications to the newest platforms, (NetFlix, Web browsing, e-mail, etc.) it became increasingly difficult to monitor the ports that we needed to keep open, resulting in our being completely overwhelmed. The quick fix to this was simply to open the gaming role to all ports, however, this was done without the knowledge that the MAC address checking fail-safe had also been disabled. This summer we are implementing various changes to CCA, including an upgrade, and are looking for idea to re-work how we have been managing our gaming devices. I'm interested in hearing anyone else's solutions or anyone ideas for the continued management of these devices so we can, hopefully, abandon the system of managing ports and MAC addresses. David McIntosh IT Services Miami University
