Posted on 08-24-2015 08:23 AM
We register our devises on our network via the macaddress. This of course raises an issue with the Thunderbolt to Ethernet Adapter. If we register the macaddress of the adapter then anything it is plugged into in theory can access our network. Has anyone found a way to assign the adapter to a specific computer or group of computers? Or any thoughts on this would be much appreciated.
Posted on 08-24-2015 08:44 AM
What system do you use, Cisco ISE or something like that?
MACs are also very easy to spoof.
Posted on 08-24-2015 08:16 PM
using MAC address is pretty poor security, as mentioned above its pretty easy to spoof a MAC address. 802.1x would be more secure and probably the right way to do it.
Posted on 08-25-2015 12:47 AM
Thanks for comments so far. I probably was not being very clear and apologise for that. I will try to elucidate a tad as I have no control over how things are set up on the network I just have to work with it. We register our devices in DHCP via macaddress to give the registered devices access to the wired network. This is when the problem with the Thunderbolt to Ethernet Adapter arises. I would be interested in anyone who is using the adapter and how they control/monitor or just use them.
Posted on 08-25-2015 06:47 AM
@achilver I don't think it unfortunately changes your situation much. The fact of that matter is that the policy you have in place comes from an old misguided idea that each computer will have a built-in Ethernet port. However with the rise of thinner laptops, many don't come with an Ethernet port anymore (definitely none of the modern Mac laptops do). So honestly if the goal is to comply with policy then I would go ahead and register all the MAC Addresses of each thunderbolt to ethernet adapter with each DHCP. You are meeting the requirement of your network team.
If they tell you that you're doing something wrong or not meeting the security spirit of this requirement then you should really sit down with your manager and their department and re-evaluate the goal here and definitely look into something like 802.1x like @calumhunter mentioned.