For many enterprise networks, the greatest risk in deploying 802.1X and/or NAC is the notion of an all-or-nothing change that is difficult to undo if something goes awry. To mitigate this, many IT administrators have begun deploying clientless or MAC-addreess-based Authentication as a first step towards stronger authentication using an 802.1X client and Posture attributes to further secure the network access layer. MAC Authentication is especially useful because it addresses many of the goals that led to the exploration of NAC and 802.1X such as securing the enterprise LAN edge, identifying all network-attached devices, provisioning guest access, maintaining a record of endpoint location and addressing, and a host of others. In addition, the deployment of MAC authentication leverages systems and protocols that are directly applicable in the deployment of an 802.1X client and/or NAC systems including 802.1X configuration on the switches, RADIUS configuration, guest access systems, and the use of an Endpoint Profiler to identify and monitor non-EAP endpoints.
Independent of how long it is in place, or how many phases are defined, MAC Authentication makes sense as a Phase 1 deployment towards the goal of 802.1X and/or NAC.
Benefits of this approach include:
- Can be implemented in highly risk-averse environments
- Leverages the 802.1X control plane for network authentication, but without the additional considerations of client configuration
- Can be implemented without the risk of isolating people or devices
- Unlocking visibility into endpoint location, addressing, behavior, etc.
- Rapid Deployment – no client configuration, can leverage existing RADIUS and network infrastructure
- Phased approach that is 100% leveraged in subsequent phases
- Addresses many internal and external audit requirements