Hello,
I'd second what @parnassus says - it would be easier longer term to concentrate on allowing the "good" hosts rather than trying to deny the "bad" ones.
It is much easier to centralise your "whitelist" in an Authentication server than try and manage it across a distributed network.
My approach would be as follows. It is not a "quick win" but it is relatively inexpensive and would be a good investment of your time:
It is not too difficult to add a "Network Policy server" role to a Windows Server - you may already have one setup for VPN access - and use this as your Network Access enforcement layer.
The hard work will be in collecting the MAC addresses and adding the devices as AD Users with MAC:MAC as the UserID:Password combo into AD. Fortunately this can be scripted if you take this route.
However, I would prefer to convert the domain clients to use dot1x to sign onto the network - this can be done either using the machine Certificate or the user credentials - one or the other is permissable.
If you use the machine Cert you won't have "foreign" non-domain devices on your network. Using Domain credentials would still allow foreign devices but users would need to use their ID/password to access the network so
Using the MAC address is susceptible to MAC cloning which is really easy on any platform, especially linux, these days. I tend to only use this technique for devices such as phones, printers etc that don't offer a dot1x client or supplicant and don't need internet access.
Once you have the NPS side of things configured you can look at the clients who may need a Group Policy update to get them to use the dot1x supplicant capability of their network adapter.
It is then just* a question of bringing the switches into NPS as a "Network Access server" or NAS and configuring the switch to use RADIUS messages to authenticate network access against AD.
(*) - once you get the first switch configured and accepting secured users onto the network you can add each switch as a NAS in NPS and pretty much duplicate the config on the switch.
Whether you use MAC or dot1x, either is better than nothing. The biggest benefit is that the intelligence about network access is held centrally and you don't need to manage all those MAC access rules on a per switch basis. The time that you invest will pay you back many times and you will have a super secure network that only the trusted clients should be able to access.
There are many resources (videos, config guides, walk-throughs) on the web at your fingertips to get you from where you are to where you need to be with the configuration.
If this kind of network access solution is of interest let us know and we can dig out some further reading for you.
Not quite what you asked for but sometimes these things don't always look like what you imagined.
many thanks
Ian
Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
