I'm curious how those of you worried about MAC address spoofing address the spoofing of user agents to get a device to appear as another. From my understanding, you need to disable the Java/Active X applet requirement for a login page in order for the devices that can't load them to use the web login. In doing so you become completely dependent on the user agent to determine the OS of the machine and IMO that's much easier than a MAC to spoof.
We're expanding the current registration process we have for gaming consoles to encompass tablets/phones/etc but still making users register their devices with us. Not sure I'm ready to trust user agents for OS identification :) --Jeremy On Thu, Jan 13, 2011 at 16:35, Bruce Hodge <[email protected]>wrote: > Kyle, > We turn on portfast on, on all our cisco edge devices because over the > years we have had terrible trouble with PXE boot and Macs. > But we have also turned on some loop prevention guarding as well. > spanning-tree portfast edge > spanning-tree bpduguard enable > > Here as Newcastle University we have a wireless population of up to 1100 > concurrent user and more than 3000 individual users per day. > My experience tells me that the kids will prefer to use wireless if they > can, but it needs to work well if you want a good take up ;-) > ta > > > > > On 1/14/2011 8:25 AM, Kyle Torkelson wrote: > > One question, off topic, that I have is for those that have Cisco > switches, are you using spanning tree? We have some gaming consoles in our > dorms that students complain about not being able to connect and getting an > MTU error. I’ve actually tested this and if I turn on spanning-tree > portfast, the game consoles work right away. With out that command, the > students aren’t patient enough to get an IP and try to push the issue and > then are unable to get connected since then they disconnect the ethernet > cable, etc. > > > > Just curious if others see the same thing or if they push their gamers to > use wireless. We’ll be deploying Cisco 1142’s in our dorms this Spring > which I’m hoping will alleviate some of this… > > > > Thanks > > > > [image: Description: seal_sign] <[email protected]> > > > > *From:* Cisco Clean Access Users and Administrators [ > mailto:[email protected] <[email protected]>] > *On Behalf Of *Biddle, Rob > *Sent:* Thursday, January 13, 2011 3:12 PM > *To:* [email protected] > *Subject:* Re: 80 New Tablets > > > > As long as the device has a browser there shouldn’t be any reason to > outright white list (as in allowing the device via a MAC address filter). I > avoid MAC filtering whenever possible since it’s so easy to spoof. > > > > NAC makes it fairly simple to setup different access based on OS > detection. We don’t currently require Apple (Although we do offer the OS X > agent as an option) or Linux users to use the NAC agent, but we do require > authentication via the NAC web login. iPad/iPhone/iPod Touch/Android > devices all login via the web login. Most of the new tablets will be > Android based, plus some Windows and WebOS. I don’t see why any of those > will be an issue. > > > > We do use specific MAC filtering for our Gaming network since the Game > Consoles won’t launch a browser until after they have successfully connected > to Xbox Live/Playstaytion Network. I’m sure it wouldn’t be too difficult to > allow that traffic in the unauthenticated role, but I haven’t had time to > test it. We have a formal registration process for users requesting this > type of access. I won’t consider doing MAC wildcard white listing since > that would make it extremely easy to spoof your way past NAC. > > > > _____________________________ > > Rob Biddle > > Network Systems Engineer / Administrator > > College of Mount St. Joseph > > > > *From:* Cisco Clean Access Users and Administrators [ > mailto:[email protected] <[email protected]>] > *On Behalf Of *Chris Zeigler > *Sent:* Thursday, January 13, 2011 12:27 PM > *To:* [email protected] > *Subject:* 80 New Tablets > > > > CES was saying 80 new tablets should be out this year alone. As it stands > at this time on our campus, we’re simply whitelisting any students that come > in with iPads and iPhones, but we haven’t really seen any other devices. > I’m curious to know what everybody else will be doing for tablets, gaming > systems, etc. > > > > Chris Zeigler > System Administrator > > Mary Baldwin College > Staunton, VA 24401 > 540-887-7362 > > [email protected] > > > > > > -- > > Bruce Hodge > > Team Leader Networks and Communications Group > IT Services > The University of Newcastle, Australia > Phone: +61 2 492 15563 > Fax: +61 2 492 16910 > Email: [email protected] > Mobile: 0408 610 293 > IT Support: +61 2 492 17000 > > http://www.newcastle.edu.au/unit/it > CRICOS Provider Number: 00109J > >
<<image/jpeg>>
<<UoN_logo_secondary.gif>>
