Security

I have two question s:
For one of our customers, we have proposed dhco profiling.

1) can we see the port number of switch in DHCP profiling ? I know we can see device family vendor and os .but is there any way to see port number in any of there profiling . This will help to make an audit easy .


2) I have two users both have identical HP laptops .one user is an internal domain user but has expired certificate and other user is an external user with no certificate

The authentication order/ priority is dot1x and then mab and we are currently using open mode

So dot1x will fail for both as internal user is having expired certificate and external user has no certificate and both will authnciate via mab. And DHCP profiling will show both as ho laptop users .

Now the requirement is how to identity on basis on this who is internal user and who is external?

The customer has large user base
Is there any domain name attribute which profiling can do to segreagte a domain internal user from external .

From.mab point of few both look same .but during audit analysis if we have to segrgate how do we achieve it .

Here IT does not have a list of Mac address of laptops of internal users . Any other profiling method which can dig domain attribute of mab internal user ?

1. No
2. Use machine certificates to identify managed assets. MAC Auth should only be used for headless/IoT devices and guests.

Hello Tim , you mean to say in addition to DHCP profiling where we are identifying both as laptop user , also do the machine certificates check and identity devices /endpoint s on basis of certificates ? Which profiling method covers this ? Also Mac authentication is being used for printers scanners and IP phones because of open mode but later we won't use mab for laptops

Profiling is to determine device type, not determine a user or machine's identity.

Yeah but I am trying to understand what you mean by saying that we have to identify in basis of machine certificates for managed assets .

Once dot1x fails for both internal and external machines ,both will use mab . So which option will further check or helps in determining the machine certificates check ?

Hi Tim ,

 

Waiting for your reply 

Like Tim explained , you can't use profiling to validating or check a certificate on a device particular device.

 

To check or validate a certificate on a machine you need to configure OCSP or CRL , OCSP is more effective 

 

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ocsp/5792b4c4-c6ba-439a-9c2a-52867d12fb66

Hi Victor , i dont want o validate the certificate

 

The requirement is see if a machine discovered as a Laptop by DHCP profiling - can we see domain attribute of machine - or any way to see FqDN of the machine 

No. This is not a valid workflow.

why do you need the FQDN? 

 

To my understanding, you need to separate internal devices with an expired certificate from external devices, is this correct?

If this is correct, the device was successfully authenticated before (before the certificate was expired). Would it be possible to use the endpoint database and insert a new attribute, e.g. internal (with just true and false as value) and each time a mac address is authenticated successfully with a certificate you set this attribute to true. 

If the device comes back with an expired certificate you just check this attribute and if the attribute is true, you know it is an internal device. 

 

just my 2 cents :) 

 

My recommendation would be to protect the guest network with a captive portal and if an internal user enters his AD (I assume you use active directory) credentials he gets online to renew the expired certificate.