Security → Network Admin looking for NAC solution

Hello gang,

I am a network admin and have been looking for a software of sorts that will alert me if a non-domain device is plugged into my network. I have problems with users at remote locations hooking in linksys wireless routers, even though the policy is against it. Long story short, is anyone using anything currently and how well does it work?

What kind of gear are you currently running? If it's unmanaged / vanilla stuff off the shelf, you may be SOL.

Off the top of my head, Dot1X is something you may want to look into; I know Juniper and Cisco sell solutions for
this -- question is how much do you have to spend?

If you're running managed gear out at the remote locations, STP, BPDU guard, and DHCP snooping is your friend
for when (l)users decide they are entitled to wire in their home routers into the core switch via the LAN port
and start spamming UPNP crap and DHCP / DNS broadcasts that generally borks the network for everyone else.

Regards

You can setup 802.1x with Windows server. Do your switches support it? Any limitations that you couldn't live with?

Well our networking switches and routers are managed by the ISP, we manage the domain controllers and so forth at each location. I don't really have a fortune to spend as we just purchased the office 2013 pack for all locations which was pricey. I would like to have something that would run on each domain controller if possible and monitor DHCP and let me know if something joined the network that was not a domain machine.

I have spiceworks running on the network which works okay for what it does, however I haven't really found a module for this need for it, also it doesn't do anything real-time it seems.

(EDIT) I want to point out that I am looking for more than rogue access points, I want to know if an employee plugs in a personal laptop on the network, or a customer does, etc.

Where I work they use .1x to handle blocking of non-offical equipment. They have it configured that if a system/user does not have a valid domain account the port is shut off until it's disconnected and re-connected, at that point it checks the info again. This also prevents network devices without knowledge since they don't have an AD account. To allow network devices (printers, switches etc...) they turn off .1x and set the port to only accept the MAC address of the equipment.

Not sure if it notifies them, but you might be able to set it up.

Well at least you have a ribbon bar in your email client.

Talk with your ISP.

Ha, yeah it has only confused about 85% of the company as we moved from 2003 to it.

What make / model? Put the question to your ISP if you want to get serious about rolling this out.

Regards