David, we simply create a filter of MAC addresses with wildcards since most all systems of a particular manufacturer have only a few MAC addresses that start with the same first 2 octets. We then create a Game Consoles Role that disallows all on campus access so if for some reason that the MAC address that is allowed belongs to a computer or if some user spoofs his or her MAC address, they cannot access their student portal, email, or online classes. This deters people from spoofing or if the MAC address is actually a computer, they will contact us since they do not have access to student resources. Other than that, all other traffic is allowed so that when new services come out, they will not have an issue of a port that needs to be open. So in the filter, select to put that device in the Game Consoles Role.
From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of McIntosh, David Sent: Thursday, May 27, 2010 10:52 AM To: [email protected] Subject: Gaming Device registration All, We are looking for possibly a new method for the way in which we handle the registration of headless devices such as the Nintendo Wii, Xbox 360, Playstation 3, TiVO, etc. For the last 5 years we have relied on a web-based form that students have accessed to provide registration information including their name, type of system, MAC address and device description. When students filled out the form the MAC address they entered was checked against a range of known MAC addresses to verify what they were registering, and if the range didn't fit they were asked to either correct their typo, or come into our remediation center for verification. In this way we hoped to minimalize the registration of computers as gaming systems in order to bypass CCA. Up until recently we have been fairly successful in maintaining a list of ports to allow open access to, and MAC addresses that correspond to the various systems. Unfortunately, we have reached the point where it is simply impossible to keep up with all the new MAC address ranges for the new systems as they come out to prevent being overloaded with walk-in traffic looking for verification. Furthermore, with the addition of applications to the newest platforms, (NetFlix, Web browsing, e-mail, etc.) it became increasingly difficult to monitor the ports that we needed to keep open, resulting in our being completely overwhelmed. The quick fix to this was simply to open the gaming role to all ports, however, this was done without the knowledge that the MAC address checking fail-safe had also been disabled. This summer we are implementing various changes to CCA, including an upgrade, and are looking for idea to re-work how we have been managing our gaming devices. I'm interested in hearing anyone else's solutions or anyone ideas for the continued management of these devices so we can, hopefully, abandon the system of managing ports and MAC addresses. David McIntosh IT Services Miami University
