Security

Reply
Occasional Contributor II

IOT in Financial Environment

We are trying to determine the best course of action to take with IOT devices.  Right now, through inheritance, we have a guest network that is simply an accept an connect using MAC Auth/MAC Caching.  Does it make sense to try and segment them from the general guest wireless, with a COA to another VLAN once they are profiled?  Or would I be just as well to leave them in the General Guest wifi with thier MAC in the static host list having additional parameters on that device list then?  It just seems that there is a better way.  

Right now we are not doing anything with Device registration but are working toward a full NAC using clearpass.  

 

Any thoughts are helpful. 

 

Thanks! 

MVP

Re: IOT in Financial Environment

I would like it if ClearPass would do a more invasive nmap scan to help me identify my IoT things. What I have been doing as we roll out NAC is to start with MAC-Auth-accept-all to get them in the database.

We then pick a point in time and declare that all of the devices in a VLAN or SSID (or other arbitrary block) have been found and switch to MAC-Auth for devices in the database only.

Further we (slowly) verify the devices we find and check the "known" box in the endpoint record.

When we think we've identified everything triggering a particular service, we limit access to "known" devices only.

For locked services we're planning to offer a device-registration portal for our technicians to verify their devices, or set up a switch in a controlled area where new devices can be learned.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: