[unisog] EAP/802.1x to the edge...anyone doing it?

David LaPorte david_laporte at harvard.edu
Thu Jan 13 22:12:12 GMT 2005


We also recently began working towards registering all systems on some 
of our residential networks to a student ID.  Rather than use a 
commercial solution, a colleague (Kevin Amorin, also of Harvard) and I 
decided to write one from scratch.  It's called PacketFence and was 
recently released as open-source at http://www.packetfence.org.

While admittedly still a work in progress (although having processed 
several thousand registrations this semester), the system has many of 
the same features as commercial products like Bluesocket and 
Perfigo/Cisco.  We also have a "passive" mode which uses ARP 
manipulation to offer many of the benefits of an in-line solution while 
allowing fail-open.

Sorry for the shameless plug... :)

David

Youngquist, Jason R. wrote:
> Matt,
> 
> We are looking into something similar for our campus.  We would like to
> authenticate users via LDAP before they can access the network.
> Currently, I'm demoing the WG-2100 wireless gateway from Blue Socket and
> also just got in and will soon be demoing CISCO's Clean Access Server
> (formerly Perfigo).  CISCO's Clean Access Server seems to be quite cool
> because it has remediation capability.  We hope to initially deploy this
> device on the wireless and dorm network, and then hopefully campus-wide.
> 
> 
> Jason Youngquist
> jryoungquist at ccis.edu
>   
> 
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of BACHAND, Dave (Info.
> Tech. Services)
> Sent: Thursday, January 13, 2005 9:52 AM
> To: mda at unb.ca; UNIversity Security Operations Group
> Subject: RE: [unisog] EAP/802.1x to the edge...anyone doing it?
> 
> Hello-
> 
> We looked at the same issue, in particular for the dorms.  Still a work
> in progress, but here's what we're doing.
> 
> For full authentication and control, we are using Bradford's Campus
> Manager product.  It in effect goes beyond simple .1x in that the user
> is forced to authenticate, and is then forcefully switched between VLANs
> based on identity.  Hubs and the like pose less of a problem, in that
> Bradford's product periodically picks up the MAC cache of the edge
> devices, and compares it to the identified list.  If there is a rogue on
> the port, it's switched to the most restrictive VLAN.  So far, it's a
> decent product, but not flawless.  One huge plus is that we have been
> able to tie it to our perimeter IDS, so for specific signatures such as
> Backdoor, CM will flag the user as a rogue and shut them down at the
> edge wherever they pop up.  This has made the residence hall VLANs a lot
> more stable.
> 
> We are looking to either use simple MAC locking, .1X, or CM in public
> areas where we don't allow rogues or hubs in the future.  The thought
> being, if they plug in anything other than what we put there, they
> either stop working or go to a VLAN with internet service throttled to
> something slower than an old modem and no LAN access at all....
> 
> 
> 
> ++++++++++++++++++++++++++++++++++++++++++++
> Dave Bachand
> Data Network Manager
> Information Technology Services
> Eastern Connecticut State University
> 83 Windham Street
> Willimantic, CT
> Tel. (860)465-5376
> ++++++++++++++++++++++++++++++++++++++++++++
> 
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Matt Ashfield
> Sent: Thursday, January 13, 2005 9:54 AM
> To: 'UNIversity Security Operations Group'
> Subject: [unisog] EAP/802.1x to the edge...anyone doing it?
> 
> Hi All,
> 
> We're currently looking at 802.1x/EAP authentication (using MD5, ie
> username/password and possibly mac address) at the edge of our network.
> It
> seems like it could be a major implementation headache. Things that
> exist on
> our campus network like hubs (plugged into other hubs!), xboxes,
> printers,
> etc.. all pose problems. As well, if we do MD5 authentication, I believe
> that the Novell Client will also pose problems.
> 
> I guess I'm just looking for feedback from anyone who is currently doing
> 802.1x at the edge. What has been your experiences? Also, do you know if
> you
> can get a radius server to return a vlanID to the edgeswitch, so you'll
> be
> placed in an appropriate vlan after authenticating (or do you have to
> rely
> on the config of the edgeswitch to do it?).
> 
> Any info/comments are appreciated.
> 
> Cheers
> 
> Matt Ashfield
> Network Analyst
> University of New Brunswick
> mda at unb.ca
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

-- 
David LaPorte, CISSP, CCNP
Senior Network Security Engineer
Harvard University Information Systems NOC
-----------------------------------------------
Email: david_laporte at harvard.edu
   PGP: 0x4DC3E508
        4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508




More information about the unisog mailing list