[unisog] EAP/802.1x to the edge...anyone doing it?

BACHAND, Dave (Info. Tech. Services) BachandD at easternct.edu
Thu Jan 13 15:52:27 GMT 2005


We looked at the same issue, in particular for the dorms.  Still a work
in progress, but here's what we're doing.

For full authentication and control, we are using Bradford's Campus
Manager product.  It in effect goes beyond simple .1x in that the user
is forced to authenticate, and is then forcefully switched between VLANs
based on identity.  Hubs and the like pose less of a problem, in that
Bradford's product periodically picks up the MAC cache of the edge
devices, and compares it to the identified list.  If there is a rogue on
the port, it's switched to the most restrictive VLAN.  So far, it's a
decent product, but not flawless.  One huge plus is that we have been
able to tie it to our perimeter IDS, so for specific signatures such as
Backdoor, CM will flag the user as a rogue and shut them down at the
edge wherever they pop up.  This has made the residence hall VLANs a lot
more stable.

We are looking to either use simple MAC locking, .1X, or CM in public
areas where we don't allow rogues or hubs in the future.  The thought
being, if they plug in anything other than what we put there, they
either stop working or go to a VLAN with internet service throttled to
something slower than an old modem and no LAN access at all....

Dave Bachand
Data Network Manager
Information Technology Services
Eastern Connecticut State University
83 Windham Street
Willimantic, CT
Tel. (860)465-5376

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Matt Ashfield
Sent: Thursday, January 13, 2005 9:54 AM
To: 'UNIversity Security Operations Group'
Subject: [unisog] EAP/802.1x to the edge...anyone doing it?

Hi All,

We're currently looking at 802.1x/EAP authentication (using MD5, ie
username/password and possibly mac address) at the edge of our network.
seems like it could be a major implementation headache. Things that
exist on
our campus network like hubs (plugged into other hubs!), xboxes,
etc.. all pose problems. As well, if we do MD5 authentication, I believe
that the Novell Client will also pose problems.

I guess I'm just looking for feedback from anyone who is currently doing
802.1x at the edge. What has been your experiences? Also, do you know if
can get a radius server to return a vlanID to the edgeswitch, so you'll
placed in an appropriate vlan after authenticating (or do you have to
on the config of the edgeswitch to do it?).

Any info/comments are appreciated.


Matt Ashfield
Network Analyst
University of New Brunswick
mda at unb.ca

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list