David Szpunar: Lead Engineer, PC Help Services

David's Church Information Technology

May 8th, 2007 at 10:04 pm Print This Post Print This Post

802.1x Port-based Authentication

Is anyone else using 802.1x for wired authentication? I’ve got it working for wireless networking, which is pretty cool. But what about wired ports? I don’t necessarily want to go to the trouble of locking down every port on campus with 802.1x. Or do I? But public ports are what worry me. For now, the only wired ports in public areas are either physically unplugged at the rack (since they’re mostly brand new), hooked up to the public wi-fi VLAN so you could get free internet access just as if you had wi-fi, or locked down with port security to only the MAC addresses of the authorized equipment that’s already installed.

But, with 802.1x, there’s the possibility of making the ports automatically members of the public VLAN for free access. But when a computer connects that can authenticate via 802.1x, it can bump them onto the employee VLAN. Sweet. But I need to do some manual-reading and testing on our ProCurve switches. Is it worth the effort? Is the Windows XP SP2 802.1x supplicant good enough, or would we need to pay for a third party supplicant? I’ve noticed that for wireless, the Windows 802.1x supplicant seems to be much better that it was originally, and most laptops are coming with even better software built-in from the manufacturer. A year or two ago, I wouldn’t implement an 802.1x-based network with the Windows XP client if you paid me. Well, depends on how much, but it would hurt anyway…