topic Re: 802.1x and Malware Identification in Wireless

802.1x and Malware Identification

Ryan20241 — Tue, 14 Jan 2025 13:36:31 GMT

Hi all,

I'm new to networking and recently started with a new company. I haven't been able to get an answer to this, so I thought I'd try here.

My understanding is that because we use 802.1x and have to configure each AP's IP address on our firewall, when our SOC identifies malware on an endpoint, they can only see the AP's IP address. So if there's, say, 10-20 devices on the AP, there's no way to know exactly which device needs to be remediated.

1. Is this a common implementation? It seems...not great, from a security perspective.

2. Are there any alternatives with our current infrastructure, or would the solution be to move away from 802.1x to something like FortiNAC?

3. Did anything that I just said make any sense, or should I change careers (again)?

I appreciate your time.

Re: 802.1x and Malware Identification

aleabrahao — Tue, 14 Jan 2025 14:21:51 GMT

I believe they are monitoring incorrectly, regardless of whether the client is on Wi-Fi or wired network, they should be able to identify the source of the alert.

I believe they should correct the monitoring.

Re: 802.1x and Malware Identification

aleabrahao — Tue, 14 Jan 2025 14:43:55 GMT

By the way, I don't know how you are monitoring but Trellix can be a great ally in these cases.

https://www.trellix.com/

Re: 802.1x and Malware Identification

mloraditch — Tue, 14 Jan 2025 14:48:59 GMT

If you are using NAT mode for your wireless clients on any of your ssids, then any upstream device will only see the traffic as sourcing from the AP so this is entirely possible, although it has nothing to do with 802.1x. That functionality can work with or without NAT mode.

You can change your ssids to drop off to a VLAN the firewall can fully see to alleviate the issue.

Re: 802.1x and Malware Identification

aleabrahao — Tue, 14 Jan 2025 15:39:51 GMT

In this case it makes sense.

Re: 802.1x and Malware Identification

Ryan20241 — Tue, 14 Jan 2025 15:49:18 GMT

Thank you - I'll reach out to our SOC for clarification.

Re: 802.1x and Malware Identification

Ryan20241 — Tue, 14 Jan 2025 16:02:10 GMT

I just double-checked, and we do have NAT mode enabled on our SSIDs. Do you know of any major drawbacks or pitfalls to transitioning off of this?

Re: 802.1x and Malware Identification

aleabrahao — Tue, 14 Jan 2025 16:25:45 GMT

The biggest disadvantage is that in NAT mode, client devices will always use the AP's IP to communicate with any resource.

If you need to monitor client IPs, use bridge mode.

Re: 802.1x and Malware Identification

Philip D'Ath — Tue, 14 Jan 2025 21:10:09 GMT

Several thoughts.

1. You could get the SOC to monitor the APs and the firewall. Then they'll be able to see clients.

2. You are probably using SSID NAT mode. If you create a dedicated VLAN for guests, and bridge the SSID to that VLAN they'll be able to see the individual clients on the firewall.