I have a customer that has a hub and spoke network. The remote offices come in over a WAN for central site network access and even their Internet traffic comes to the central site frst before going out. They need a way to keep rouge computers from being plugged into the network at a remote office and getting network access. They want something more robust and easily managed than access-lists. They do have a Cisco routers that all the incoming WAN traffic passes through in order to gain access to the LAN and Internet. Would CCA or ACS be good for this or something else?
Thanks to all!
You can try something like clean access.
Cisco Clean Access is an easily deployed software solution that can automatically detect, isolate, and clean infected or vulnerable devices that attempt to access your network. It identifies whether networked devices such as laptops, personal digital assistants, even game consoles are compliant with your network's security policies and repairs any vulnerabilities before permitting access to the network.
This suggestion's feasibility will really depend on the size of the network (how many hosts), but one "no capital expenditure" option is to stop using dynamic DHCP assignments. With static assignments and no dynamic pools for new hosts to obtain IP addresses from, new devices plugged into the network won't be able to route to the central hub (and on to the Internet).
Another option that may be no-cost would be to enable mac-address limiting on the switches at the spoke offices and to disable ports that you know don't have devices connected. For example, on a Cat3500XL you could use "port security max-mac-count 1" and "port security action shutdown" at the interface level. (I'm not sure if you can do this on a 802.1q trunk, so if you've got IP phones, this may not be possible.) This would also have the side-effect of cutting off network access for people that move their own computers to different offices. (That could be good or bad, depending on your viewpoint I guess.)
I had a chance to read to other two replies before crafting my repsonse to make sure I wasn't telling you something you have already heard about.. There was a couple of things thrown out and I would like to explain a little about each of them..
CCA - Cisco Clean Access. While yes it does provide a way to stop users from accessing your network it's main function is to asses the "Health" of the computer before it grants access to the network. You might be able to configure it such a way to prevent access to your network but I feel it might entail an overly complex configuration. (I am in the process of building up CCA in my lab so do not that much about it's true capabilities just what I have read)
Static IP Addressing instead of DHCP. This might work, but only if the users who are connecting into the network have no idea what addressing you are using. If they find out, then they can start "trying" different addresses until they find one that works. Not a very good solution really.
port security max-mac-count 1 - Ok now we are getting somewhere, but this is not the right direction either. What happens if you are using VoIP, now there will be at least 2 mac addresses coming down that pipe..
What we really want to look at is IBNS - Idenity Based Network Security. This will use 802.1x to Authenticate the user before allowing the port to go active. If that user has a valid account in the windows Active Directory then the user will be allowed to gain access to the network. If that user does not, then just like the (port security max-mac-count) command the port will be put in a "shutdown" state. You will need to re-enable that port manually. So even with this solution there are pros and cons.
Remember now IBNS and NAC are highly dependent on having Cisco throughout the network, not just at the router level.
One more thing I thought of: you might be able to use dynamic port VLAN membersip with VMPS to block unauthorized MAC addresses. This solution assumes a lot however:
- Won't work with IP Phones (trunking)
- Assumes Cisco switches everywhere
- Assumes you have a box capable of being the VMPS server
- Bad things will probably happen if the VMPS server goes away
On the plus side:
+ You can config a backup VMPS
+ The MAC-to-VLAN mappings can be on a TFTP server so both VMPS' share them
+ If you do not use "secure mode" then ports do not get turned off when a bad MAC is seen (bad MACs are blocked, good ones are passed), so no manual resetting of disabled ports
I'm not sure if it's a valid config to have the VMPS server across a WAN link or not; it may be a requirement to have a VMPS (and backup) at each site.
there several solution for your problem, but i suggest the easiest one which is as following:
configure each cisco switch at each site in a way that all existing computers that have access to the internet will be plugged to specific port and shut down all remaining ports so in that way if any one come to get access and plugged his PC to an empty port it wont have access unless he unplugged one of the existing ones and out his PC instead
and for more robust one you have to get mac addresses to all existing PCs add them to the switch
so in this way whom ever plug his PC in whatever port he will not get access
Tans for everyone that replied. One major hurdle is that Cisco is not throughout the entire network just at the central site. It seems that Clean Access is the way to go. Thanks to everyone!