Nile Service Block
...
Zero Trust Access
MAC Authentication

Nile Wired Access Management FAQ

14min
why do we need wired access management? nile requires all wired devices to be authenticated before accessing the network the nile access service supports three different wired authentication methods wired 802 1x authentication (requires a radius server) wired radius mab authentication (requires a radius server) nile portal wired access management authentication can i upload a list of wired pre approved devices to access management? yes, you can upload a list of pre approved devices to the nile access management by uploading a csv file via the nile customer portal (settings > access management > wired) the csv file should include the following information mac address the device's mac address (mandatory) segment the network segment the device will be assigned to (required for "allow" status, optional for "deny") lock to port lock the device to a specific switch port (optional) site, building, floor restrict the device to a specific geographical location (optional) allow or deny specify whether to allow or deny access for the device (mandatory) can i disable nile wired device authentication? no, the nile network is designed with security best practices, and you cannot disable wired device authentication entirely however, you can add a catch all "allow all" policy (not recommended) to grant network access to all devices, assigning them to a specific segment this policy can be enabled in the nile portal (network setup > access management > wired > add device > allow all macs) can i enable nile auto wired device authentication for a specific vendor or device type? yes, you can create a wired device authentication policy for a specific device vendor or type using the organizational unique identifier (oui) the oui is the first 24 bits of a mac address that is used as a globally unique identifier assigned by the ieee to identify network devices you can enable the oui based policy in the nile portal (network setup > access management > wired > add device > oui/mac), where you can select the segment, status (approved/denied), and geographical scope for the oui based policy what is nile wired access management lock to port? the "lock to port" feature will lock a device's approval to a specific nile switch port when the device connects for the first time if the wired device is moved to a different port or a different switch, the wired access management policy will be changed from "allow" to "deny", and the nile portal administrator will need to allow the device again you can enable the "lock to port" feature in the nile customer portal (network setup > access management > wired > add device) by entering the oui (for multiple devices) or mac (for a single device), selecting a specific segment and optionally choosing the geographical scope what is wired access management geo scope? the wired access management geo scope is a feature that limits wired device authentication pre approval to a specific location (site, building, or floor) if a wired device is moved to a different location, the wired access management policy will be changed from "allow" to "deny", and the nile portal administrator will need to allow the device again you can enable the geo scope in the nile portal (network setup> access management > wired > add device) by entering the oui (for multiple devices) or mac (for a single device), selecting a specific segment, and choosing the geographical scope (site, building, or floor) can administrators pre approve devices based on device make, model, or software? yes, the nile access service can fingerprint devices and allows administrators to create fingerprint based rules to pre approve devices you can navigate to "network setup > access management > wired > add devices" in the nile customer portal nile has an extensive database of device models, makes, and operating systems that can be used to create these rules when you start typing the name of your device, the system will auto populate and display the matching entries in our database what if my device is not in nile's database? if your device is not in the nile database, the administrator will need to use the mac address or organizational unique identifier (oui) for pre approval you can reach out to nile support and provide the details of your device, so it can be reviewed and added to the database at a later date how does fingerprint based approval work? nile's device fingerprinting works as follows the exact mac address rule match always takes precedence if there is no exact mac address match, the device will be matched against a fingerprint rule if there is no fingerprint rule match, the device will be matched against an oui rule if there are no other matching rules, the device will be assigned to the "all" rule when a new device connects to the network and does not have an ip address, nile will use limited information like the mac address to attempt a fingerprint match to get the device a temporary ip address, you need to create an "all" rule with a quarantine or internet only segment nile's fingerprinting uses parameters like mac address, dhcp, dns transactions, and user agent data to accurately match the device if the device does not match the fingerprint rule, it will be placed in the segment defined by the "all" rule once the device gets a temporary ip and starts communicating, nile will fingerprint it and automatically move it to the correct fingerprint based segment, updating the device's ip address accordingly nile will learn the device's fingerprint and create a specific entry for it going forward what happens if i create an exact mac address entry for a device? if you create an exact mac address entry for a device with a specific segment assignment, nile will not automatically move that device to a different segment based on fingerprinting devices matching an exact address or oui rule will not be moved automatically it is recommended not to create exact mac address or oui entries for devices you want to onboard using fingerprinting what if nile fingerprints a device incorrectly? if a device is fingerprinted incorrectly, nile recommends removing the device from the cache and adding the exact mac address you can then contact nile support to provide the device details, so we can evaluate and add it to our database what happens if a device matches multiple fingerprint rules? when a device matches multiple fingerprint rules, the most specific rule will take precedence for example, a rule for "avaya ip phone 250" will win over a more general "avaya" rule what if i create new rules after devices are already connected? rules need to be created before connecting the devices when a device connects, wired access management will match it against the existing rules if there are no matching rules, a device entry will be created with a "waiting for approval" status to have a new rule applied to an existing device, you will need to delete the device entry and disconnect/reconnect the device to apply the new rule nile is adding an enhancement to automatically verify all existing entries with a "waiting for approval" status after a new rule is created if the device matches the new rule, its status will automatically change to "allow" or "deny" based on the new rule what happens if we delete an existing rule? deleting an existing rule will not impact any existing device wired access management entries it will only affect the addition of new devices when a new device is added, if it matches a rule, a specific entry will be created for that device the only impact would be if both the rule and the device entry were deleted in this case, the device status will change to "waiting for approval" and require manual approval