Physical Security to PIX 501 VPN Solution. 1

[xylax]

I have a dilima with physical access to Cisco PIX 501s. I am about to deploy 70+ PIX 501s out to the field. Each PIX will have a VPN back to a PIX 515e, which is in my office. Anyone on the VPN will be on my domain. I'm a concerned with the physical access to the PIX 501s. My machines I have connected will be on a domain and will be restricted using Group Policies. However, anyone else could bring in their computer and plug into my network at anytime.

Due to some equipment at the location, DHCP will be enabled and each location will have their own subnet. Using an AAA server is not an option and since the 'mac-list' command only pertains to AAA, that's out. Anyone have any thoughts other than putting elmers glue into the empty ports?

 

[Supergrrover]

What kind of switches at the remote sites? You can enable port security and have just one MAC per port, then disable all other ports. You could also go the route of 802.1x with AAA and authenticate to the domain controller through IAS.

Just a few options.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[xylax]

Each location has DSL, Cable, or Wireless modems from ISPs. All the modems are in bridged mode and the PIX is the authenticating device. Since there are only 3 devices, at max, at each location, no switches are installed.

Shon
Network Administrator

 

[Supergrrover]

Ok, that's tougher. You can limit the # of DHCP leases to the exact amount needed for the site and make the lease times really long.

You can try this (although I have not) is to setup a fake AAA and give the MAC exemption to the MACs that you know and have all others authenticate. When they can't reach the fake AAA server, they fail and can't go across the VPN. I don't think cisco had this in mind, but it might work.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[xylax]

Good thinking. I've thought of those too. However, your first idea can be circumvented by programming the same IP address with the machine thats already at the location. The bad user will get an IP conflict but possibily get internet traffic anyways.

As for the second idea, I tried that as well but probably didn't do it right. When I tried to setup a fake AAA server, the PIX said that it didn't exist. Is there any way to force the PIX to point to a AAA server that doesn't exist?

Shon
Network Administrator

 

[Supergrrover]

Then your best bet is 802.1x that authenticates across the VPN. You can get by just about everything else.

I haven't had it reject an AAA server that I hadn't spun up yet. That's odd. But, You can fake a MAC address just as easily as change your IP. So I would go with the .1x.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[xylax]

I took what you said and pointed the aaa-server config to our firewall anyways. Looks like the main firewall, a PIX 515 accepted the 501's. Since there wasn't a username and password setup on the 515, it always asks for authentication in which nothing works. I applied the mac exempt list to it and viola! A working mac-list. Thanks for the help Brent!

Shon
Network Administrator

 

[Supergrrover]

Glad it worked - That feature really should be included.


Brent
Systems Engineer / Consultant
CCNP, CCSP