802.1x and Malware Identification

Ryan2024
Conversationalist

802.1x and Malware Identification

Hi all,

 

I'm new to networking and recently started with a new company. I haven't been able to get an answer to this, so I thought I'd try here.

 

My understanding is that because we use 802.1x and have to configure each AP's IP address on our firewall, when our SOC identifies malware on an endpoint, they can only see the AP's IP address. So if there's, say, 10-20 devices on the AP, there's no way to know exactly which device needs to be remediated.

 

1. Is this a common implementation? It seems...not great, from a security perspective. 

2. Are there any alternatives with our current infrastructure, or would the solution be to move away from 802.1x to something like FortiNAC?

3. Did anything that I just said make any sense, or should I change careers (again)?

 

I appreciate your time.

8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal

I believe they are monitoring incorrectly, regardless of whether the client is on Wi-Fi or wired network, they should be able to identify the source of the alert.

I believe they should correct the monitoring.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

By the way, I don't know how you are monitoring but Trellix can be a great ally in these cases.

 

https://www.trellix.com/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Ryan2024
Conversationalist

Thank you - I'll reach out to our SOC for clarification.

Mloraditch
Head in the Cloud

If you are using NAT mode for your wireless clients on any of your ssids, then any upstream device will only see the traffic as sourcing from the AP so this is entirely possible, although it has nothing to do with 802.1x. That functionality can work with or without NAT mode.

You can change your ssids to drop off to a VLAN the firewall can fully see to alleviate the issue.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
alemabrahao
Kind of a big deal
Kind of a big deal

In this case it makes sense.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Ryan2024
Conversationalist

I just double-checked, and we do have NAT mode enabled on our SSIDs. Do you know of any major drawbacks or pitfalls to transitioning off of this?

alemabrahao
Kind of a big deal
Kind of a big deal

The biggest disadvantage is that in NAT mode, client devices will always use the AP's IP to communicate with any resource.

If you need to monitor client IPs, use bridge mode.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

Several thoughts.

 

1. You could get the SOC to monitor the APs and the firewall.  Then they'll be able to see clients.

2. You are probably using SSID NAT mode.  If you create a dedicated VLAN for guests, and bridge the SSID to that VLAN they'll be able to see the individual clients on the firewall.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels