No 802.1x authentication for wireless networks in place, some domain-joined Windows workstations did not have the proper 802.1x settings
Authentication was based on pre-shared keys, which is not a best practice for enhanced security
No policy to prevent employees no longer employed with knowledge of the pre-shared keys access to the network, which poses a security risk
The client’s environment was mostly public, where anyone can plug in their device, and access the network, which is also a security concern
Switches were running older versions of IOS, which had bugs that produced inconsistent 802.1x behavior
Solution Components
Implementation of Network Access Control (NAC) solutions: Cisco Identity Services Engine (ISE) was chosen as the RADIUS server, which authenticate the wired and wireless devices when they attempt to connect to the client’s network
Upgrade all the switches to Cisco’s recommended code versions to resolve bugs associated with older code
Work with the customer’s server team to push the proper settings through Group Policy Object (GPO)
Impact
Most of the wired and wireless devices now are required to authenticate to be able to connect to the hospital network
The local network is much more secure from the internal perspective due to authentication
ISE also provides endpoint visibility, allowing the client to know what devices are connected to the network
