Project Drivers
- No 802.1x authentication for wireless networks in place, some domain-joined Windows workstations did not have the proper 802.1x settings
- Authentication was based on pre-shared keys, which is not a best practice for enhanced security
- No policy to prevent employees no longer employed with knowledge of the pre-shared keys access to the network, which poses a security risk
- The client’s environment was mostly public, where anyone can plug in their device, and access the network, which is also a security concern
- Switches were running older versions of IOS, which had bugs that produced inconsistent 802.1x behavior
Solution Components
- Implementation of Network Access Control (NAC) solutions: Cisco Identity Services Engine (ISE) was chosen as the RADIUS server, which authenticate the wired and wireless devices when they attempt to connect to the client’s network
- Upgrade all the switches to Cisco’s recommended code versions to resolve bugs associated with older code
- Work with the customer’s server team to push the proper settings through Group Policy Object (GPO)
Impact
- Most of the wired and wireless devices now are required to authenticate to be able to connect to the hospital network
- The local network is much more secure from the internal perspective due to authentication
- ISE also provides endpoint visibility, allowing the client to know what devices are connected to the network