[unisog] EAP/802.1x to the edge...anyone doing it?

BACHAND, Dave (Info. Tech. Services) BachandD at easternct.edu
Thu Jan 13 21:46:38 GMT 2005


Sure-

 

We're using Enterasys' Dragon IDS, which just sends a standard SNMP trap
to the CM server.  The people at CM were fairly willing to work with us
in setting up the trap handling.  Have also looked into using SNORT to
send the traps, but haven't had the time (or the need) right now.

 

++++++++++++++++++++++++++++++++++++++++++++
Dave Bachand
Data Network Manager
Information Technology Services
Eastern Connecticut State University
83 Windham Street
Willimantic, CT
Tel. (860)465-5376
++++++++++++++++++++++++++++++++++++++++++++
  _____  


From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Ryan Sumida
Sent: Thursday, January 13, 2005 1:59 PM
To: UNIversity Security Operations Group
Subject: RE: [unisog] EAP/802.1x to the edge...anyone doing it?

 


Thanks for the info,  we've been considering .1X for the past year now
but have not had the time nor the knowledge to do so.   Being able to
tie into an IDS/IPS would be a huge benefit for our campus as well.
Dave, do you mind sharing what IDS the BSI CM is tied into?  Do you know
if CM will support TippingPoint devices? 



Thanks, 
________________________________________
Ryan Sumida
Network Analyst, Network Services
Information Technology Services
California State University, Long Beach
1250 Bellflower Blvd, Long Beach, CA 90840-0101
(562) 985-8411
_________________________________________ 

unisog-bounces at lists.sans.org wrote on 01/13/2005 07:52:27 AM:

> 
> Hello-
> 
> We looked at the same issue, in particular for the dorms.  Still a
work
> in progress, but here's what we're doing.
> 
> For full authentication and control, we are using Bradford's Campus
> Manager product.  It in effect goes beyond simple .1x in that the user
> is forced to authenticate, and is then forcefully switched between
VLANs
> based on identity.  Hubs and the like pose less of a problem, in that
> Bradford's product periodically picks up the MAC cache of the edge
> devices, and compares it to the identified list.  If there is a rogue
on
> the port, it's switched to the most restrictive VLAN.  So far, it's a
> decent product, but not flawless.  One huge plus is that we have been
> able to tie it to our perimeter IDS, so for specific signatures such
as
> Backdoor, CM will flag the user as a rogue and shut them down at the
> edge wherever they pop up.  This has made the residence hall VLANs a
lot
> more stable.
> 
> We are looking to either use simple MAC locking, .1X, or CM in public
> areas where we don't allow rogues or hubs in the future.  The thought
> being, if they plug in anything other than what we put there, they
> either stop working or go to a VLAN with internet service throttled to
> something slower than an old modem and no LAN access at all....
> 
> 
> 
> ++++++++++++++++++++++++++++++++++++++++++++
> Dave Bachand
> Data Network Manager
> Information Technology Services
> Eastern Connecticut State University
> 83 Windham Street
> Willimantic, CT
> Tel. (860)465-5376
> ++++++++++++++++++++++++++++++++++++++++++++
> 
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Matt Ashfield
> Sent: Thursday, January 13, 2005 9:54 AM
> To: 'UNIversity Security Operations Group'
> Subject: [unisog] EAP/802.1x to the edge...anyone doing it?
> 
> Hi All,
> 
> We're currently looking at 802.1x/EAP authentication (using MD5, ie
> username/password and possibly mac address) at the edge of our
network.
> It
> seems like it could be a major implementation headache. Things that
> exist on
> our campus network like hubs (plugged into other hubs!), xboxes,
> printers,
> etc.. all pose problems. As well, if we do MD5 authentication, I
believe
> that the Novell Client will also pose problems.
> 
> I guess I'm just looking for feedback from anyone who is currently
doing
> 802.1x at the edge. What has been your experiences? Also, do you know
if
> you
> can get a radius server to return a vlanID to the edgeswitch, so
you'll
> be
> placed in an appropriate vlan after authenticating (or do you have to
> rely
> on the config of the edgeswitch to do it?).
> 
> Any info/comments are appreciated.
> 
> Cheers
> 
> Matt Ashfield
> Network Analyst
> University of New Brunswick
> mda at unb.ca
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20050113/1c933cd0/attachment.htm


More information about the unisog mailing list