Security

Recently we deployed Clearpass cluster in the network with 6100/6200 switches.

We deployed dot1x authentications for windows stations and mac-auth for all the rest (Cameras/Linux/Pinpads/Printers exc…)

The problem is that only Mac-authentication is not passing a Penetration Test of the organization.

Therefore, we need to think about another way or an extra parameter for securing those end stations.

Can we get some fingerprints or another parameter from the end station when is first appearing in Clearpass? and bind between the MAC address and another parameter?

In our current situation, if a camera is connecting. We approve it's MAC Address and saves it as known MAC address.

If another device (Laptop for example) spoof this camera's MAC address, it will grant access to the network because of the known MAC address of the Camera.

My goal is to get some extra parameter to identify this MAC so if another device spoof it, it would be blocked because it does not have that extra parameter.

Thanks,

Recently we deployed Clearpass cluster in the network with 6100/6200 switches.

We deployed dot1x authentications for windows stations and mac-auth for all the rest (Cameras/Linux/Pinpads/Printers exc…)

The problem is that only Mac-authentication is not passing a Penetration Test of the organization.

Therefore, we need to think about another way or an extra parameter for securing those end stations.

Can we get some fingerprints or another parameter from the end station when is first appearing in Clearpass? and bind between the MAC address and another parameter?

In our current situation, if a camera is connecting. We approve it's MAC Address and saves it as known MAC address.

If another device (Laptop for example) spoof this camera's MAC address, it will grant access to the network because of the known MAC address of the Camera.

My goal is to get some extra parameter to identify this MAC so if another device spoof it, it would be blocked because it does not have that extra parameter.

Thanks,

Recently we deployed Clearpass cluster in the network with 6100/6200 switches.

We deployed dot1x authentications for windows stations and mac-auth for all the rest (Cameras/Linux/Pinpads/Printers exc…)

The problem is that only Mac-authentication is not passing a Penetration Test of the organization.

Therefore, we need to think about another way or an extra parameter for securing those end stations.

Can we get some fingerprints or another parameter from the end station when is first appearing in Clearpass? and bind between the MAC address and another parameter?

In our current situation, if a camera is connecting. We approve it's MAC Address and saves it as known MAC address.

If another device (Laptop for example) spoof this camera's MAC address, it will grant access to the network because of the known MAC address of the Camera.

My goal is to get some extra parameter to identify this MAC so if another device spoof it, it would be blocked because it does not have that extra parameter.

Thanks,

Recently we deployed Clearpass cluster in the network with 6100/6200 switches.

We deployed dot1x authentications for windows stations and mac-auth for all the rest (Cameras/Linux/Pinpads/Printers exc…)

The problem is that only Mac-authentication is not passing a Penetration Test of the organization.

Therefore, we need to think about another way or an extra parameter for securing those end stations.

Can we get some fingerprints or another parameter from the end station when is first appearing in Clearpass? and bind between the MAC address and another parameter?

In our current situation, if a camera is connecting. We approve it's MAC Address and saves it as known MAC address.

If another device (Laptop for example) spoof this camera's MAC address, it will grant access to the network because of the known MAC address of the Camera.

My goal is to get some extra parameter to identify this MAC so if another device spoof it, it would be blocked because it does not have that extra parameter.

Thanks,