[unisog] EAP/802.1x to the edge...anyone doing it?

Cal Frye cjf at calfrye.com
Thu Jan 13 21:40:57 GMT 2005


Yes, it is an inline box, and as such is a core authenticator, depending on how 
far out toward the edge you place the access servers. The key is you can have 
multiple boxes, although that's a costly option. We're running it's dhcp server 
in multiple-tiny-subnet mode; where the limit is each user system exists in its 
own subnet/30. Does tend to corral user traffic, but isn't perfect.

In remediation mode, either the VLAN tag is manipulated and/or access through 
the server is controlled until the Nessus scan or user client pass your 
requirements; then the user is granted "normal" access.

--Cal Frye, Network Administrator, Oberlin College
  www.ouuf.org, www.calfrye.com

   "Life is pleasant. Death is peaceful. It's the transition that's 
troublesome." - Isaac Asimov


Matt Ashfield wrote:
> Will the Perfigo/Cisco software authenticate at the edge? I can't see how it
> would. And if it is more of a core authenticator, does that mean you must
> run all your network through that box? Or you do you simply use it as an
> authenticating agent, like Radius, tied to LDAP? 
> 
> Thanks
> 
> Matt Ashfield
> Network Analyst
> Integrated Technology Services
> University of New Brunswick
> (506) 447-3033
> mda at unb.ca 
> 
> 
> -----Original Message-----
> From: Youngquist, Jason R. [mailto:jryoungquist at ccis.edu] 
> Sent: January 13, 2005 4:03 PM
> To: UNIversity Security Operations Group; mda at unb.ca
> Subject: RE: [unisog] EAP/802.1x to the edge...anyone doing it?
> 
> Matt,
> 
> We are looking into something similar for our campus.  We would like to
> authenticate users via LDAP before they can access the network.
> Currently, I'm demoing the WG-2100 wireless gateway from Blue Socket and
> also just got in and will soon be demoing CISCO's Clean Access Server
> (formerly Perfigo).  CISCO's Clean Access Server seems to be quite cool
> because it has remediation capability.  We hope to initially deploy this
> device on the wireless and dorm network, and then hopefully campus-wide.
> 
> 
> Jason Youngquist
> jryoungquist at ccis.edu
>   
> 
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of BACHAND, Dave (Info.
> Tech. Services)
> Sent: Thursday, January 13, 2005 9:52 AM
> To: mda at unb.ca; UNIversity Security Operations Group
> Subject: RE: [unisog] EAP/802.1x to the edge...anyone doing it?
> 
> Hello-
> 
> We looked at the same issue, in particular for the dorms.  Still a work
> in progress, but here's what we're doing.
> 
> For full authentication and control, we are using Bradford's Campus
> Manager product.  It in effect goes beyond simple .1x in that the user
> is forced to authenticate, and is then forcefully switched between VLANs
> based on identity.  Hubs and the like pose less of a problem, in that
> Bradford's product periodically picks up the MAC cache of the edge
> devices, and compares it to the identified list.  If there is a rogue on
> the port, it's switched to the most restrictive VLAN.  So far, it's a
> decent product, but not flawless.  One huge plus is that we have been
> able to tie it to our perimeter IDS, so for specific signatures such as
> Backdoor, CM will flag the user as a rogue and shut them down at the
> edge wherever they pop up.  This has made the residence hall VLANs a lot
> more stable.
> 
> We are looking to either use simple MAC locking, .1X, or CM in public
> areas where we don't allow rogues or hubs in the future.  The thought
> being, if they plug in anything other than what we put there, they
> either stop working or go to a VLAN with internet service throttled to
> something slower than an old modem and no LAN access at all....
> 
> 
> 
> ++++++++++++++++++++++++++++++++++++++++++++
> Dave Bachand
> Data Network Manager
> Information Technology Services
> Eastern Connecticut State University
> 83 Windham Street
> Willimantic, CT
> Tel. (860)465-5376
> ++++++++++++++++++++++++++++++++++++++++++++
> 
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Matt Ashfield
> Sent: Thursday, January 13, 2005 9:54 AM
> To: 'UNIversity Security Operations Group'
> Subject: [unisog] EAP/802.1x to the edge...anyone doing it?
> 
> Hi All,
> 
> We're currently looking at 802.1x/EAP authentication (using MD5, ie
> username/password and possibly mac address) at the edge of our network.
> It
> seems like it could be a major implementation headache. Things that
> exist on
> our campus network like hubs (plugged into other hubs!), xboxes,
> printers,
> etc.. all pose problems. As well, if we do MD5 authentication, I believe
> that the Novell Client will also pose problems.
> 
> I guess I'm just looking for feedback from anyone who is currently doing
> 802.1x at the edge. What has been your experiences? Also, do you know if
> you
> can get a radius server to return a vlanID to the edgeswitch, so you'll
> be
> placed in an appropriate vlan after authenticating (or do you have to
> rely
> on the config of the edgeswitch to do it?).
> 
> Any info/comments are appreciated.
> 
> Cheers
> 
> Matt Ashfield
> Network Analyst
> University of New Brunswick
> mda at unb.ca
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 



More information about the unisog mailing list