[unisog] EAP/802.1x to the edge...anyone doing it?

Ryan Sumida rsumida at csulb.edu
Thu Jan 13 18:59:15 GMT 2005

Thanks for the info,  we've been considering .1X for the past year now but 
have not had the time nor the knowledge to do so.   Being able to tie into 
an IDS/IPS would be a huge benefit for our campus as well.  Dave, do you 
mind sharing what IDS the BSI CM is tied into?  Do you know if CM will 
support TippingPoint devices?

Ryan Sumida
Network Analyst, Network Services
Information Technology Services
California State University, Long Beach
1250 Bellflower Blvd, Long Beach, CA 90840-0101
(562) 985-8411

unisog-bounces at lists.sans.org wrote on 01/13/2005 07:52:27 AM:

> Hello-
> We looked at the same issue, in particular for the dorms.  Still a work
> in progress, but here's what we're doing.
> For full authentication and control, we are using Bradford's Campus
> Manager product.  It in effect goes beyond simple .1x in that the user
> is forced to authenticate, and is then forcefully switched between VLANs
> based on identity.  Hubs and the like pose less of a problem, in that
> Bradford's product periodically picks up the MAC cache of the edge
> devices, and compares it to the identified list.  If there is a rogue on
> the port, it's switched to the most restrictive VLAN.  So far, it's a
> decent product, but not flawless.  One huge plus is that we have been
> able to tie it to our perimeter IDS, so for specific signatures such as
> Backdoor, CM will flag the user as a rogue and shut them down at the
> edge wherever they pop up.  This has made the residence hall VLANs a lot
> more stable.
> We are looking to either use simple MAC locking, .1X, or CM in public
> areas where we don't allow rogues or hubs in the future.  The thought
> being, if they plug in anything other than what we put there, they
> either stop working or go to a VLAN with internet service throttled to
> something slower than an old modem and no LAN access at all....
> ++++++++++++++++++++++++++++++++++++++++++++
> Dave Bachand
> Data Network Manager
> Information Technology Services
> Eastern Connecticut State University
> 83 Windham Street
> Willimantic, CT
> Tel. (860)465-5376
> ++++++++++++++++++++++++++++++++++++++++++++
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Matt Ashfield
> Sent: Thursday, January 13, 2005 9:54 AM
> To: 'UNIversity Security Operations Group'
> Subject: [unisog] EAP/802.1x to the edge...anyone doing it?
> Hi All,
> We're currently looking at 802.1x/EAP authentication (using MD5, ie
> username/password and possibly mac address) at the edge of our network.
> It
> seems like it could be a major implementation headache. Things that
> exist on
> our campus network like hubs (plugged into other hubs!), xboxes,
> printers,
> etc.. all pose problems. As well, if we do MD5 authentication, I believe
> that the Novell Client will also pose problems.
> I guess I'm just looking for feedback from anyone who is currently doing
> 802.1x at the edge. What has been your experiences? Also, do you know if
> you
> can get a radius server to return a vlanID to the edgeswitch, so you'll
> be
> placed in an appropriate vlan after authenticating (or do you have to
> rely
> on the config of the edgeswitch to do it?).
> Any info/comments are appreciated.
> Cheers
> Matt Ashfield
> Network Analyst
> University of New Brunswick
> mda at unb.ca
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20050113/2178437f/attachment.htm

More information about the unisog mailing list