Solved: Re: 802.1x and Malware Identification

Ryan20241 · ‎01-14-2025

Hi all,

I'm new to networking and recently started with a new company. I haven't been able to get an answer to this, so I thought I'd try here.

My understanding is that because we use 802.1x and have to configure each AP's IP address on our firewall, when our SOC identifies malware on an endpoint, they can only see the AP's IP address. So if there's, say, 10-20 devices on the AP, there's no way to know exactly which device needs to be remediated.

1. Is this a common implementation? It seems...not great, from a security perspective.

2. Are there any alternatives with our current infrastructure, or would the solution be to move away from 802.1x to something like FortiNAC?

3. Did anything that I just said make any sense, or should I change careers (again)?

I appreciate your time.

Philip D'Ath · ‎01-14-2025

Several thoughts.

1. You could get the SOC to monitor the APs and the firewall. Then they'll be able to see clients.

2. You are probably using SSID NAT mode. If you create a dedicated VLAN for guests, and bridge the SSID to that VLAN they'll be able to see the individual clients on the firewall.

View solution in original post

aleabrahao · ‎01-14-2025

I believe they are monitoring incorrectly, regardless of whether the client is on Wi-Fi or wired network, they should be able to identify the source of the alert.

I believe they should correct the monitoring.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

aleabrahao · ‎01-14-2025

By the way, I don't know how you are monitoring but Trellix can be a great ally in these cases.

https://www.trellix.com/

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Ryan20241 · ‎01-14-2025

Thank you - I'll reach out to our SOC for clarification.

mloraditch · ‎01-14-2025

If you are using NAT mode for your wireless clients on any of your ssids, then any upstream device will only see the traffic as sourcing from the AP so this is entirely possible, although it has nothing to do with 802.1x. That functionality can work with or without NAT mode.

You can change your ssids to drop off to a VLAN the firewall can fully see to alleviate the issue.

If you found this post helpful, please give it a thumbs up. If my answer solves your problem please click Accept as Solution so others can benefit from it.

aleabrahao · ‎01-14-2025

In this case it makes sense.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Ryan20241 · ‎01-14-2025

I just double-checked, and we do have NAT mode enabled on our SSIDs. Do you know of any major drawbacks or pitfalls to transitioning off of this?

aleabrahao · ‎01-14-2025

The biggest disadvantage is that in NAT mode, client devices will always use the AP's IP to communicate with any resource.

If you need to monitor client IPs, use bridge mode.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Philip D'Ath · ‎01-14-2025

Several thoughts.

1. You could get the SOC to monitor the APs and the firewall. Then they'll be able to see clients.

2. You are probably using SSID NAT mode. If you create a dedicated VLAN for guests, and bridge the SSID to that VLAN they'll be able to see the individual clients on the firewall.