Skip to main content

MAC Locking on Wired Network

More
15 years 10 months ago #29316 by drizzle
I just got back from a long stay in Iraq. While I was out, our network guys setup mac locking on every wired port across the network. It turns out, all our users are a bit jaded with the support they got while I was gone and haven't mentioned the issues they are now experiencing. Many of them use their laptops to work in several different offices across our campus. The MAC Locking is now a serious detriment to business.

However, I am conscious of the security purposes for doing this. I would like to offer a better solution. I know we could go with 802.1x. What other options are out there? We are a full Cisco shop with the latest and greatest technology. Between MAC spoofing and the fact that all offices are secured and all visitors require an escort, I don't even think it is necessary.

Any advice?
More
15 years 10 months ago #29348 by Smurf
Its all going to depend on what you are protecting. You need to do a risk analysis and determine if the MAC filtering is causing too much inconvinence. At the end of the day, there needs to be a balance between security and usability.

Like you said, 802.1x would be better as it protects at the port level and users need to authenticate which means they can plug into any port as long as they can authenticate. Also Cisco NAC will give additional features of doing end point checking on hosts to ensure that they are at a base level before they get network access.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.128 seconds