We are deploying Clean Access to the dorms in the Fall. We are going to have a centralized deployment (L3 / In-band / RealIP), but we have to run in In-band mode because we have unmanaged workgroup switches in the dorm rooms (there aren't enough network jacks in the rooms). I would assume that we have to filter gaming systems by assigning them specific IP addresses (since there are multiple hops to the CAS', prohibiting mac filtering), that we then add to a subnet filter. For example, a building floor network could be 10.1.1.0/24. We could manually assign the top half addresses (10.1.1.129/25) to gaming systems, and add that subnet as a subnet filter with a gaming role, while the bottom half (10.1.1.0/25) is used for regular users that go through posture assessment, auth, etc.
What is everyone doing to prevent users from manually assigning IP addresses that are in the filter (I guess the problem still exists with users manipulating mac-addresses in L2 mode)? Do you just chalk this up to - if the user is that savvy, then we don't have to worry about them being up to par? Is there a better way of doing this that I'm totally overlooking? I apologize if this is a remedial question - we're still just starting to get our hands dirty with NAC. :) It would be nice if Cisco introduced a SRND for Clean Access detailing best practice... Thanks in advance. -Tim Tim Riegert Towson University Network Engineer
