Re: Outside person

ankitohc · ‎08-10-2023

If outside users are coming to the office. They should route to internet not intranet when they connect to our company network..

How can we avoid them accessing our internal network.. they should have only access to internet only if they connected to any port in the company.

Joseph W. Doherty · ‎08-10-2023

Wired ports?

There are technologies that require the user and/or device to authenticate itself to the network, before the network will allow access beyond this initial authentication process. Depending the the authentication result, the network will set the port to a specific VLAN. Outside guests, that don't authenticate as employees, generally only obtain a VLAN with Internet access, only.

BTW, where this access gets "tricky" is insure an unauthenticated device doesn't somehow "piggyback" on a port that has an authenticated device on it, or just a moment ago.

ankitohc · ‎08-10-2023

Yes, wired ports.. I mean if someone comes in with their laptops and they try to connect to any port in our network.. they should not access any internal resources however, they should reach out to the internet..

Joseph W. Doherty · ‎08-10-2023

Yup, again, there are such technologies that will control that.

For product/technology recommendations, helpful if you describe what your environment comprises.

This question might also be better posed in one of the security forums, like Network Access Control, and you might get an overview here.

Note: if you want, I can move this messages to another topic.

M02@rt37 · ‎08-10-2023

Hello @ankitohc,

Consider to implement IEEE 802.1x. It is "an IEEE Standard for port-based Network Access Control to prevent unauthorized devices from gaining access to the network."

https://www.ciscozine.com/802-1x-introduction-general-principles/

Complex to implement. 802.1x operates at the data link layer and provides a method for devices to authenticate themselves before being granted network access.

Here's how it works ? When a device attempts to connect to a network port, the port remains in a blocked state until the device's identity is verified. This verification process involves three main components: the supplicant (the device seeking access), the authenticator (the network device, such as a switch), and the authentication server (which holds user credentials).

Supplicant: The device attempting to access the network is known as the supplicant. It could be a computer, phone, or any other network-capable device. The supplicant initiates the connection and sends its identity to the authenticator.

Authenticator: This is typically a network switch or a wireless access point. The authenticator acts as the intermediary between the supplicant and the authentication server. It prevents data from passing through the port until the supplicant is authenticated.

Authentication Server: The authentication server is responsible for verifying the supplicant's identity. It holds user credentials, often stored in a centralized database like RADIUS. The server evaluates the supplicant's credentials and sends an authentication result back to the authenticator.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Joseph W. Doherty · ‎08-11-2023

BTW, I was at a company, about 15+ years ago, where we first tried using .1x on wired ports. It worked but we found ways to breach it. Possibly, those no longer can be done, but that I don't know.