How to implement network protection from "left" devices?

IrkDesigner2013-10-04 16:27:44

Cisco

IrkDesigner, 2013-10-04 16:27:44

Greetings, habrosobshchestvo!
At the enterprise a network, addresses are distributed on DHCP, the Cisco switch is used. I would like to implement host control so that users cannot use their equipment (connect laptops, access points). Question is how to do it?
Can use any built-in Cisco mechanisms? Based on the deployed Radius infrastructure? And what is the best way to control? By Mac address, or something else?
In general, I am not at all special in this matter, so I will be glad for a detailed description and practical advice.

Answer the question

In order to leave comments, you need to log in

8 answer(s)

Sergey Petrikov, 2013-10-04
@RicoX

I would look towards DHCP_snooping + Option 82 DHCP+ radius as a layer between the base of subscribers and dhcp. So you get full control over all the equipment in the network, the scheme is only possible in a completely smart network. The easiest way is to deploy on the basis of any billing for ISP. Of the pluses, all poppy equipment is tied to the switch port, it will not work in another port, another poppy will not work in this port, etc. individual ACLs for any centrally managed device. It works like this, the first time the device is connected to the network, it receives a special fake address from which only the authorization page is available, enters its login password, the device is recorded in the account of a specific subscriber and receives all its filtering rules, etc. Cons - expensive for iron. Outline the problem in full, maybe something simpler will suit.

Igor, 2013-10-04
@shanker

As I understand it, you need to dig towards using IEEE 802.1X technology . She is just friends with the Radius server. Alas, I can’t tell you more about the setting, because. I have purely theoretical knowledge in this area. It will be interesting to observe the answers of more competent specialists.

verwolfdotss, 2013-10-04
@verwolfdotss

At my last job it was like this:
habrahabr.ru/post/124697/
(A colleague just wrote the article)

HallEffect, 2013-10-04
@HallEffect

Look towards the port security function Port security . There you can restrict the connection of third-party devices by MAC addresses and configure the switch's response to this event

Sergey, 2013-10-04
@bondbig

Only ISE, only hardcore!

vovagubin1987, 2013-10-04
@vovagubin1987

Everything is simple. Set up a shared network. The first network is only workplaces, which organized access to the Internet. The second network is only the internal network. Next, the dhcp server must know the computers to which it issued addresses, and if it knows everyone, then check the box or switch to the position - prohibit the connection of unknown clients. The second shared network is all the others. Unknown clients must be allowed to connect. Send them to the stub. You can bind everything to networks and poppies manually.

pportnoy, 2013-10-05
@pportnoy

In fact, Windows has a special role for these purposes - Network Access Protection.
And she will destroy everything on the basis of 802.1X.

Nadz Goldman, 2013-10-09
@nadz

Rave.
Everything is nonsense.
=)
Just use
ports_security + dhcp