802.1x - is Blackhole VLAN still best practice?

nict · ‎05-08-2024

Lately I've been working with 802.1x implementation, and to my knowledge a blackhole vlan is always a security best pratice for unused ports in general, but how about when we have 802.1x configured on a port?

In my setup within ISE, policies are configured to deny access if devices don't adhere to any rules.

My main question is: Is it still considered best practice to assign a Blackhole VLAN on 802.1x configured ports, rather than the Data VLAN, for instance? Are there potential security risks associated with this approach?

The primary concern I can think of is the accidental configuration of a rule in ISE that could permit devices even if they fail dot1x or MAB authentication. But, are there other considerations beyond this?

I've scoured Cisco's resources for guidance but haven't found definitive best practices. Any insights would be greatly appreciated.

Best Regards,

Nicolai

Rob Ingram · ‎05-08-2024

@nict I would leave unused ports configured for NAC, any device that fails authentication you can apply a Downloadable ACL (DACL) or in a TrustSec environment a unique SGT to limit what the device can do. This allows ISE to profile the device and if required provide limited access to certain resources, such as allowing to remediate any issues.

The endpoints that failed authentication can still be placed in the normal data VLAN, but with the aforementioned restrictions. This reduces the admin overhead of deploying blackhole VLANs throughout the environment, but is still secure.

Karsten Iwen · ‎05-08-2024

With Blackhole VLAN, do you refer to the default VLAN?

My favorite approach is to use a permissive Quarantine VLAN that has basic internet access but no access to internal systems. All my regular policy rules apply the desired VLAN, and if I forget or misconfigure a rule, the access is highly limited, but the resulting access makes troubleshooting slightly easier.

But this approach is not useful everywhere.