Hey everyone! I'm setting up a network access control lab using NPS on Windows Server 2022, and I'm working with Cisco switches. My main challenge is with managing non-Microsoft devices like access points, printers, and scanners. I've found that creating a user for each device with the MAC address as a password works, but I'm concerned this approach isn't suitable for a production environment. Does anyone have experience with this and can suggest better methods for managing such devices? It's worth noting that there are quite a few non-Microsoft devices, so creating policies based on calling station ID isn't practical due to field limitations. Additionally, I'm looking for a way to authenticate these devices, but setting up a dedicated VLAN for them isn't an option for me. Thanks for any insights!
2 Answers
I've worked with 802.1x for a long time, and one thing I've learned is that trying to over-engineer solutions for devices like printers and scanners can just complicate things. Most of these devices have static MAC addresses and the ports they connect to rarely change. I recommend enabling port security on those switch ports and limiting them by MAC addresses. Keep track of unused ports, shut them down, and ensure the active ones have proper documentation. For ports that do have movement, you might consider keeping them on a guest VLAN to ensure users stay online without accessing sensitive corporate resources.
Using PKI and certificates with EAP-TLS for all your devices could provide strong authentication, but it might not be practical if not all devices support this method. Checking device compatibility is essential before setting this up, as it could potentially leave you with limited options.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures