[unisog] EAP/802.1x to the edge...anyone doing it?

Youngquist, Jason R. jryoungquist at ccis.edu
Thu Jan 13 20:56:13 GMT 2005



-----Original Message-----
From: Matt Ashfield [mailto:mda at unb.ca] 
Sent: Thursday, January 13, 2005 2:28 PM
To: Youngquist, Jason R.; 'UNIversity Security Operations Group'
Subject: RE: [unisog] EAP/802.1x to the edge...anyone doing it?

>Will the Perfigo/Cisco software authenticate at the edge? 
	It's supposed to sit in the core behind the firewall.


>I can't see how it would. And if it is more of a core authenticator,
does >that mean you must run all your network through that box?
	From what I know, yes.  You can trunk all of your VLANS through
the box and all of the traffic passes through the box.

> Or you do you simply use it as an authenticating agent, like Radius,
tied >to LDAP? 
	The box sends the authentication request to the LDAP server and
then the LDAP server replys with a "success"/"no success".


Jason Youngquist
jryoungquist at ccis.edu




Thanks

Matt Ashfield
Network Analyst
Integrated Technology Services
University of New Brunswick
(506) 447-3033
mda at unb.ca 


-----Original Message-----
From: Youngquist, Jason R. [mailto:jryoungquist at ccis.edu] 
Sent: January 13, 2005 4:03 PM
To: UNIversity Security Operations Group; mda at unb.ca
Subject: RE: [unisog] EAP/802.1x to the edge...anyone doing it?

Matt,

We are looking into something similar for our campus.  We would like to
authenticate users via LDAP before they can access the network.
Currently, I'm demoing the WG-2100 wireless gateway from Blue Socket and
also just got in and will soon be demoing CISCO's Clean Access Server
(formerly Perfigo).  CISCO's Clean Access Server seems to be quite cool
because it has remediation capability.  We hope to initially deploy this
device on the wireless and dorm network, and then hopefully campus-wide.


Jason Youngquist
jryoungquist at ccis.edu
  

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of BACHAND, Dave (Info.
Tech. Services)
Sent: Thursday, January 13, 2005 9:52 AM
To: mda at unb.ca; UNIversity Security Operations Group
Subject: RE: [unisog] EAP/802.1x to the edge...anyone doing it?

Hello-

We looked at the same issue, in particular for the dorms.  Still a work
in progress, but here's what we're doing.

For full authentication and control, we are using Bradford's Campus
Manager product.  It in effect goes beyond simple .1x in that the user
is forced to authenticate, and is then forcefully switched between VLANs
based on identity.  Hubs and the like pose less of a problem, in that
Bradford's product periodically picks up the MAC cache of the edge
devices, and compares it to the identified list.  If there is a rogue on
the port, it's switched to the most restrictive VLAN.  So far, it's a
decent product, but not flawless.  One huge plus is that we have been
able to tie it to our perimeter IDS, so for specific signatures such as
Backdoor, CM will flag the user as a rogue and shut them down at the
edge wherever they pop up.  This has made the residence hall VLANs a lot
more stable.

We are looking to either use simple MAC locking, .1X, or CM in public
areas where we don't allow rogues or hubs in the future.  The thought
being, if they plug in anything other than what we put there, they
either stop working or go to a VLAN with internet service throttled to
something slower than an old modem and no LAN access at all....



++++++++++++++++++++++++++++++++++++++++++++
Dave Bachand
Data Network Manager
Information Technology Services
Eastern Connecticut State University
83 Windham Street
Willimantic, CT
Tel. (860)465-5376
++++++++++++++++++++++++++++++++++++++++++++

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Matt Ashfield
Sent: Thursday, January 13, 2005 9:54 AM
To: 'UNIversity Security Operations Group'
Subject: [unisog] EAP/802.1x to the edge...anyone doing it?

Hi All,

We're currently looking at 802.1x/EAP authentication (using MD5, ie
username/password and possibly mac address) at the edge of our network.
It
seems like it could be a major implementation headache. Things that
exist on
our campus network like hubs (plugged into other hubs!), xboxes,
printers,
etc.. all pose problems. As well, if we do MD5 authentication, I believe
that the Novell Client will also pose problems.

I guess I'm just looking for feedback from anyone who is currently doing
802.1x at the edge. What has been your experiences? Also, do you know if
you
can get a radius server to return a vlanID to the edgeswitch, so you'll
be
placed in an appropriate vlan after authenticating (or do you have to
rely
on the config of the edgeswitch to do it?).

Any info/comments are appreciated.

Cheers

Matt Ashfield
Network Analyst
University of New Brunswick
mda at unb.ca

_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog







More information about the unisog mailing list