Q: and strapped into a MAC address authentication? Im thinking about doing verify the switch port based on approved MAC addresses (of the ACS server). I can work well, but it requires much maintenance. I have to manually add or mac-addresseses if necessary to remove and I was hoping ACS could indicate a database that I can dynamically update its addresses set up (though I have a system where it collects each machine mac daily). This can be done for the authentication of the user, but Im not an option for mac addresses. I suppose there is a way if it is applied to networks with hundreds or thousands of machines?
Anyone used something like this? Im curious how people handled the backend and maintenance of it.
Thanks!
Re:if your interested in straight mac authentication, check out MetaInfo MetaIP (http://www.metainfo.com).
Re:Oh nuts. Then there is no way to tie ACS into some database then for mac-addresses. I think I pursued NAC at some a year ago but gave it up due to costs. This idea using dot1x seemed like a much cheaper and easier alternative but I guess it comes with a price in being its not very manageable when involved with huge networks.
Re:nmweaver,
you know me, I love them. But I've beating them up over this for quite a few years now.
I agree with you, "it's getting better"
But they made a crucial promise at a crucial time and didn't deliver. It will be interesting to see how it will play out. Frankly I think other network companies offer more. But then you weigh that with the operational aspects of cisco?
well, we're not talking about technological advantages, but operational one.
Re:Nac is getting better, I promise. Most of the problem is the vendors not supporting it. Nac V2 has just fired up (Cisco cert for partners) and adds stuff. Plus the new ACS version (4.x) helps too, and adds NAC to wireless.
Re:Originally posted by: guy
Clean Access can do what you just described, but you're looking at some serious money and time…not even Cisco is well prepared to support it.
Every time we have a problem w/ CCA, we have to keep calling to re-queue our service requests.
off topic…
They aren't delivering what they promised with NAC, and I hate clean access. It doesn't scale for the normal 3 tired layer3 architecture.
Others out there are doing it much better. Foundry/enterasys to name a few.
Re:Clean Access can do what you just described, but you're looking at some serious money and time…not even Cisco is well prepared to support it.
Every time we have a problem w/ CCA, we have to keep calling to re-queue our service requests.
Re:Yes, its part of the dot1x rollout. I want to be able to restrict what machines are allowed to get on our vlan and then any machine that doesn't get recognized I drop them on another vlan that only has internet access. Basically we have alot of clients that bring in their laptops and I don't want them to be able to plug it anywhere and be able to get on the vlan I dont' want them to be in.
Re:isn't this what vpms is for? I think that is outdated though.
I know you can do an easy to administer mac address authentication (ACS isn't the right tool), just I haven't had a need for it in a long time because everything is 802.1x now.
Re:I agree, doing it by MAC is a lot of work to maintain however if you do it by user (or more specifically account) authentication you can tie it in to something else and keep your time spent configuring ACS minimal.
Re:I would use user auth instead of mac…I use ACS, but never do the mac stuff, and most of my ACS is wireless oriented.
0 Comments.