Hi, > What do you suggest to do with printers, ip phones and other network devices > wchich can not support 802.1x ? > What are you doing to secure this backdoor? > One idea is to identify such devices by MAC but I think it should be > something else - > cause someone can disconnect fi printer - change mac addres on pc on the > same as printer and welcome home :). > any suggestions?
fortunately our IP Phones do 802.1x... however, they can be dealt with (see below) most of our printers can 802.1X these days - however, if you ensure that only a set of 'print servers' can talk to them - and people print to a print server rather than directly to the network printer then its quite easy to put those sockets onto a very restricted network that can only talk to the print servers - then, when leet haxor changes their MAC address to 'be the printer' they arent going to have much fun on that network....only being able to talk to printer-1 and printer-2 isnt what they would like. likewise, phones only need to talk to the main IP PBX(s) and then to each other. if you ACL the phone VLANs so they can only talk to each other and nothing else then who would want to be on the phone network? if its mr haxor wanting to listen into non encrypted calls then extra protection can be layered on - port privacy, arp inspection et al. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html