We recently had an issue where a user brought their laptop in from home and plugged it into the network, attempting to get internet access. I know on a port level I could setup MAC restrictions, but I was wondering if there was a way that I could prevent a non-compliant machine from even getting access to our network in the future? We currently run all Windows 7 client machines and I'd like to simply tell it "if not Windows 7, no access", but not sure exactly how to go about that. We are running an AD environment, 2008 and above Windows Servers.
I thought maybe NAP would work, and it appears to have a setting for WinXP (and one for Win7), but it allows me to disallow/allow access based on if it is up to date, if virus protection is on, etc, not if it's Windows XP itself. Is there a way that I could disable anything but what I specify from getting access to the network like this?
Thanks in advance for your help!
The credit should go to those who mentioned it above, but 802.1X is the way to control this type of behavior. There is a lot more involved than I have direct experience with, but I use a RADIUS server at home for authentication on my wireless network. With pfsense, it was easy to setup.
MAC authentication is the weakest type of authentication, MAC addresses can be spoofed in seconds granting full access to the network, all the user has to do is find out the MAC address of his laptop and spoof it on his personal laptop and he has full access to the corporate network.
You should use 802.1x to stop this, where I work we deployed it with Cisco switches and Windows NPS server, only devices that are part of the domain get access to the network. We also used certificates with it.
However locking a port down by MAC addresses along side the 802.1x is also a good idea to prevent MAC flooding attack. We've locked ports down to 8 MAC addresses to mitigate risk of MAC flooding attack.
Firstly, make sure you disable all network ports that don't need to be used.
And now onto another alternative which won't work for you but for people out there to think about. Passive OS fingerprinting may work for someone wanting a solution to this problem but they perhaps want to block non-windows users, or have a LAN of MAC computers and want to block anything else.
I'm going to throw it in there as a possible solution that may be suitable for some situations. I still think something like 802.1X is a more robust option though.
It doesn't work because as far as I can tell you can't filter with osf with Windows:xp or something... or can you? I can't tell without trying it.
But suppose you just wanted to allow only windows machines.
1) Create a linux bridge. http://bwachter.lart.info/linux/bridges.html
2) Load the passive os fingerprint module and use rules like:
Read more: How to block/allow packets sent by specific Operating System with iptables?
This bridge machine then gets inserted between your network and the router. If you already have a Linux router on the network that you use as your firewall/gateway you could simply add the osf module rules to iptables.
Unfortunately, since OS fingerprinting it's based on how an OS sets the initial TTL, window size and a few other bits and pieces in TCP SYN packets, it'll only work with TCP. Also, it can be defeated. So it's not entirely secure.
I would setup MAC filtering, as this is the most secure route, and you can be sure that you are catching everything. Why do you not want to setup a MAC filter?