Automatic network access control for devices via Cisco Switch connectors

You can configure automatic network access control for devices via Cisco Switch connectors. Connectors of this type interface with switches to send commands that add or remove network access deny rules (restrictions) for the devices connected to the switches.

Network access control for devices is driven by their status. The connector creates deny rules on the switch for devices with a status of Unauthorized and removes the rules once the Authorized status is assigned to the devices.

Each connector can only interface with one network switch.

A Cisco Switch connector is used for restricting network access only for those devices whose details include their MAC addresses. Also, these MAC addresses must be stored in the ARP table of the network switch. That is, devices with these MAC addresses must be connected to the network switch to which the connector is connected.

A connector can use various methods to restrict network access for devices. The application provides methods for creating deny rules in switch access control lists based on MAC addresses (MAC ACL), IP addresses (IP ACL), and by disabling Ethernet ports to which devices are connected.

To use the method of disabling Ethernet ports, configure the switch connections to prevent multiple devices from being connected to one port. Otherwise, disabling an Ethernet port to block one device will also block network access for all devices that connect to the network using that port.

To minimize the risks of the connector impacting network accessibility for legitimate process devices, you can enable the following settings during configuration:

• Option that controls exclusions from network access restrictions for Network device, Firewall, Switch, Virtual switch, Router, Virtual router, and Wi-Fi. If the option is enabled, these categories of devices are excluded from the access restriction method.
• Option that controls whether deny rules are applied to new devices only. If the option is enabled, the method is applied only to those unauthorized devices for which a new 4000005003 device detected event has been registered.

The connector interfaces with the network switch via SSH. SSH connection credentials are specified and stored within the connector configuration. To protect these sensitive credentials, which are essential for identification and authentication, the connector verifies the switch public key it receives against a stored value as a safeguard against switch spoofing. Identification and authentication details are sent to the switch after verifying that the received public key matches the public key saved in the connector.

During the operation, the connector logs events in the application based on the results of the actions performed. These event types are logged via External technology. The following event headers are generated:

• Reset device deny rules for <switch name>

  This type of event is logged when the connector resets previously defined deny rules for devices due to a change of network access restriction method.

• Updated information about <device name> with address <device MAC address> according to data from <switch name>

  This type of event indicates that the connector has received information from a switch that a device connected to a certain port.

• Added a device deny rule for <device name> on <switch name>

  This type of event is logged when the connector restricts network access for an unauthorized device.

• Removed deny rule for <device name> on <switch name>

  This type of event is logged when the connector has successfully removed network access restrictions for a specific device.

• <switch name> has previously added deny rules

  This type of event indicates that upon turning on or restarting, the connector discovered preexisting deny rules on a specific switch.

• SSH connection made to <switch name> without verifying public key

  This type of event is logged when the connector successfully establishes an SSH connection to a switch but fails to verify its public key. We recommend verifying that there is no spoofed device on the network, and then saving the new public key in the connector settings.

• Detected public key mismatch for <switch name>

  This type of event is logged when the connector detects a mismatch between the stored and received public keys for a switch. This prevents an SSH connection with the switch. We recommend verifying that there is no spoofed device on the network and that the switch public key has indeed changed, and then saving the new public key in the connector settings.

• Failure to establish SSH connection with switch <switch name>: incorrect credentials

  This event is logged when the connector failed to establish SSH connection with the switch due to incorrect credentials specified in the connector settings (user name and/or password).

• Action for the privileged mode has not been performed on the switch <switch name>: incorrect password

  This event is logged when the connector does not have privileged mode capabilities to add and remove device deny rules on the switch. In this case, enter the correct privileged mode password in the connector settings.

Page top