[unisog] EAP/802.1x to the edge...anyone doing it?

BACHAND, Dave (Info. Tech. Services) BachandD at easternct.edu
Thu Jan 13 22:02:48 GMT 2005


Both products will do LDAP authentication.  We are in an odd position,
in that Eastern is part of a larger university system.  We implemented
CM before the other sites.  The System choose Perfigo.  So, we will most
likely get the "chance" to use both coming this summer.

What I can offer at this point is as follows, based on my admittedly
biased opinion.

CM is really a network management product.  It does have a remediation
tool built in, which uses NESSUS scanning to do testing.  Nessus is
pretty limited these days considering the fact that software firewalls
are becoming standard issue.  The good point is, that short of someone
running a NAT firewall in the room and sharing a connection, it's iron
clad, you can't thwart it.  We also were able to tie it to the IDS,
which works VERY well.

Perfigo is an in-line device, which acts like a bridge. As I understand
it, it manipulates the subnet mask of the client to force access limits.
Therefore a savvy user should be able to thwart  the product.  But, it
uses a client to do remediation detection, which is not hindered by
firewalls.  My opinion here is that the Perfigo boxes are a little
light, and not something I really like to see in line on my LAN,
although they can run in a high availability mode, but they do a much
better job at remediation.

If I have my way, we will leave CM in place and tied to the IDS to catch
the bad (or stupid) guys, and use Perfigo for remediation.

Sorry for the rant, but you hit on a touchy subject over here....

 

++++++++++++++++++++++++++++++++++++++++++++
Dave Bachand
Data Network Manager
Information Technology Services
Eastern Connecticut State University
83 Windham Street
Willimantic, CT
Tel. (860)465-5376
++++++++++++++++++++++++++++++++++++++++++++

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Matt Ashfield
Sent: Thursday, January 13, 2005 3:28 PM
To: 'Youngquist, Jason R.'; 'UNIversity Security Operations Group'
Subject: RE: [unisog] EAP/802.1x to the edge...anyone doing it?

Will the Perfigo/Cisco software authenticate at the edge? I can't see
how it
would. And if it is more of a core authenticator, does that mean you
must
run all your network through that box? Or you do you simply use it as an
authenticating agent, like Radius, tied to LDAP? 

Thanks

Matt Ashfield
Network Analyst
Integrated Technology Services
University of New Brunswick
(506) 447-3033
mda at unb.ca 


-----Original Message-----
From: Youngquist, Jason R. [mailto:jryoungquist at ccis.edu] 
Sent: January 13, 2005 4:03 PM
To: UNIversity Security Operations Group; mda at unb.ca
Subject: RE: [unisog] EAP/802.1x to the edge...anyone doing it?

Matt,

We are looking into something similar for our campus.  We would like to
authenticate users via LDAP before they can access the network.
Currently, I'm demoing the WG-2100 wireless gateway from Blue Socket and
also just got in and will soon be demoing CISCO's Clean Access Server
(formerly Perfigo).  CISCO's Clean Access Server seems to be quite cool
because it has remediation capability.  We hope to initially deploy this
device on the wireless and dorm network, and then hopefully campus-wide.


Jason Youngquist
jryoungquist at ccis.edu
  

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of BACHAND, Dave (Info.
Tech. Services)
Sent: Thursday, January 13, 2005 9:52 AM
To: mda at unb.ca; UNIversity Security Operations Group
Subject: RE: [unisog] EAP/802.1x to the edge...anyone doing it?

Hello-

We looked at the same issue, in particular for the dorms.  Still a work
in progress, but here's what we're doing.

For full authentication and control, we are using Bradford's Campus
Manager product.  It in effect goes beyond simple .1x in that the user
is forced to authenticate, and is then forcefully switched between VLANs
based on identity.  Hubs and the like pose less of a problem, in that
Bradford's product periodically picks up the MAC cache of the edge
devices, and compares it to the identified list.  If there is a rogue on
the port, it's switched to the most restrictive VLAN.  So far, it's a
decent product, but not flawless.  One huge plus is that we have been
able to tie it to our perimeter IDS, so for specific signatures such as
Backdoor, CM will flag the user as a rogue and shut them down at the
edge wherever they pop up.  This has made the residence hall VLANs a lot
more stable.

We are looking to either use simple MAC locking, .1X, or CM in public
areas where we don't allow rogues or hubs in the future.  The thought
being, if they plug in anything other than what we put there, they
either stop working or go to a VLAN with internet service throttled to
something slower than an old modem and no LAN access at all....



++++++++++++++++++++++++++++++++++++++++++++
Dave Bachand
Data Network Manager
Information Technology Services
Eastern Connecticut State University
83 Windham Street
Willimantic, CT
Tel. (860)465-5376
++++++++++++++++++++++++++++++++++++++++++++

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Matt Ashfield
Sent: Thursday, January 13, 2005 9:54 AM
To: 'UNIversity Security Operations Group'
Subject: [unisog] EAP/802.1x to the edge...anyone doing it?

Hi All,

We're currently looking at 802.1x/EAP authentication (using MD5, ie
username/password and possibly mac address) at the edge of our network.
It
seems like it could be a major implementation headache. Things that
exist on
our campus network like hubs (plugged into other hubs!), xboxes,
printers,
etc.. all pose problems. As well, if we do MD5 authentication, I believe
that the Novell Client will also pose problems.

I guess I'm just looking for feedback from anyone who is currently doing
802.1x at the edge. What has been your experiences? Also, do you know if
you
can get a radius server to return a vlanID to the edgeswitch, so you'll
be
placed in an appropriate vlan after authenticating (or do you have to
rely
on the config of the edgeswitch to do it?).

Any info/comments are appreciated.

Cheers

Matt Ashfield
Network Analyst
University of New Brunswick
mda at unb.ca

_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog


_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list