Microsoft NPS/Protecting unauthorized access

[Bradtech519]

Looking into securing our network from unauthorized access. We have remote sites in which Cisco routers are handing out IP addresses instead of Microsoft DHCP servers, and some non 802.1x clients (old thin clients). I'm not sure if MS NAP/NPS is the way to go due these reasons. Outside of basic port security, mac-address filtering on the switches what other options do I have 3rd party solutions? I know of the Cisco NAC but everything in regards to Cisco comes at a high price. I know I can have some sort of remediation policy for some clients that might be out of date prior to xp sp3 or non 802.1x compliant devices.. I may be looking at this the wrong way in regards to turning up NPS on my DHCP scopes..

 

[imagoon]

You can use ip-helper-address and hand out DHCP from the main office. That with radius could make 802.1x work for you. As for non 802.1x, should be able to exempt their MAC addresses.

 

[Bradtech519]

You can use ip-helper-address and hand out DHCP from the main office. That with radius could make 802.1x work for you. As for non 802.1x, should be able to exempt their MAC addresses.

Thanks for the response I appreciate it.

1. ip-helper-address would help us get off using DHCP on the Routers by adding that to the config on the cisco gateway, and we could turn up new scopes for the remote offices using MS DHCP/NPS..I beleive that is what you are recommending

2. I found this writeup on your recommendation of Mac-address exemption in NPS. I think it goes along with what your saying.

We have been looking into other solutions outside of NPS such as Cisco NAC but want to do it without spending a ton of money if our AD infrastructure could be extended. We have phones, printers, etc..

http://blogs.technet.com/b/teamdhcp...or-printers-and-other-network-appliances.aspx