10-08-2014 08:54 AM
We are looking for a way to support wired network printers through a RAP with secured ports. I currently have our RAP's configured with 802.1x auth on the wired ports and it's working fine with Windows PC's, but I can't find a printer that supports 802.1x through a wired port. We don't want to broadcast our wireless to the remote user. Management doesn't want to use MAC auth because they are afraid it can be spoofed easily.
Anyone have any suggestions?
10-09-2014 12:22 AM
You are probably correct when stating that MAC addresses are easily spoofed. What may help in such a sitiuation is to use the role-based firewall to limit network access to the required minimum.
For a network printer, this may be only DHCP, als no other traffic from the printer to the network is required typically.
You can create a new role for you printer, with such strict firewalling rules, and assign that during the MAC authentication.
If you have ClearPass, you can use profiler to even get more information and fingerprint the device (and block it as soon as is shows to be another device than a printer).
From a security view, I consider MAC authentication a convenience feature that can be circumvented. Strict security controls in the firewall limit the impact.
If you have urgent issues, please contact your Aruba partner or Aruba TAC.