Comments on: 802.1x Port-based Authentication

By: Stefan

Stefan — Sun, 13 Apr 2008 10:21:34 +0000

Hi List,
I am on that, too.
I tried to auth XP via DLINK switches agaist a free radius server without getting it running smoothly by now.

My questions are:
– I only need link)','caption', 'Media Access Control' );">MAC-Based placing of the nodes into the VLANs.
How to avoid the “Please Enter … to login to network” message at XP ?
– Anybody out there running a working freeradius config to post it somewhere ?

By: David Szpunar

David Szpunar — Thu, 14 Feb 2008 15:57:55 +0000

Thanks for the information Andrew! I haven’t had time to pursue this further, but I appreciate you sharing what you’ve found. I’ll definitely check it out when I can look into this some more! For now, I’m simply not even plugging in public network ports physically in the network closet, unless they’re needed. If they are needed, I’m using port security on my HP switches to lock down the port to a single link)','caption', 'Media Access Control' );">MAC address, and turn off the port if any other addresses are detected. It requires more management, but is simpler to set up for now and there hasn’t been enough of a pressing need to bring the issue to the forefront again yet.

By: Andrew Miehs

Andrew Miehs — Thu, 14 Feb 2008 11:06:42 +0000

Hi David,

I am currently looking at the 802.1x issue as well – I am still having problems to get the Windows clients to cause the switch to send anything to the radius server – I am still playing with the windows supplicant client. I am tending now towards link)','caption', 'Media Access Control' );">MAC based filtering as I have read that the windows client only authenticates on login…

Cisco recently boot “MeetingPlaces” who make the AEGIS supplicant, and this looks like it may work better than the Windows XP thing – and it seems to be free for wired usage…..

Still looking…

Andrew

By: David Szpunar

David Szpunar — Sun, 20 May 2007 18:54:39 +0000

Hunter – I’ve posted the first set of details on our 802.1x wireless implementation. More to come. We aren’t using certificates yet, mainly because of the PKI infrastructure required…either we have to pay a lot for third-party certificates, or do an in-house CA (Certificate Authority). I’ve configured an in-house test CA before, but that system failed a while back and without adequate backups for the root cert (actually I had backups, but they wouldn’t restore on a new machine properly) I was left without PKI for now. It’ll come in the future, but I need to learn more about it and do it the right way, the first was more of a half-live lab :-)

I did have certificate-based link)','caption', 'Wi-Fi Protected Access' );">WPA working with that test PKI at one point, however! This was still back on the Linksys test AP.

By: Hunter French

Hunter French — Sun, 20 May 2007 17:35:31 +0000

David, that would be great. We are migrating to a certificate based link)','caption', 'Wi-Fi Protected Access' );">WPA from WEP (yikes!). We are currently in the process of building our PKI infrastructure.

By: Wireless 802.1x Authentication: Overview

Wireless 802.1x Authentication: Overview — Sat, 19 May 2007 03:52:32 +0000

[…] been asked to post some information on how I implemented 802.1x authentication in our wireless network. This […]

By: David Szpunar

David Szpunar — Fri, 18 May 2007 14:18:18 +0000

Hunter – I’ll see what I can do; I’ll get a post started but not sure when I’ll have time to finish it. I probably won’t get down to the screenshot level but I can give a more in-depth overview of the process I used. Do note that we’re not using certificates yet.

By: Hunter French

Hunter French — Fri, 18 May 2007 13:25:44 +0000

David – Perhaps you have another blog post on the way about the process you followed to implement 802.1x in your wireless environment. Thanks, Hunter

By: David Szpunar

David Szpunar — Thu, 10 May 2007 15:24:26 +0000

Matthew,

We’ve only recently been able to do most of what I’ve mentioned due to replacing our non-managed core switches with managed switches, and at the same time implementing a WLAN solution that has multiple VLAN capability built-in. Employees can still get to the internal network over wireless, but it’s encrypted (still a combination of link)','caption', 'Wi-Fi Protected Access' );">WPA-PSK for some and link)','caption', 'Wi-Fi Protected Access' );">WPA with 802.1x for others, moving to all-802.1x in the future). A separate network for public use is operating on a different VLAN, going through our Nomadix AG-3000 access device. The fact that we can use the same access points to do all this (actually we could run up to 16 separate networks on the same APs, each with individualized settings, or 32 if we used an advanced mode) is amazing, and well worth the money in my opinion!

Public wi-fi isn’t an option for many, or at least it’s easy to see the benefits if that’s the direction you want to go. At the same time, security isn’t an option either, but it isn’t always easy in a church environment where the default is often “trust.” Not that trust is a bad thing, but “trust everyone” is a bad policy. Security is a balance between risk and convenience (and cost), so my recommendation is to put it on your projects list, but don’t sweat it in the short term if it’s worked so far. If you have problems, bump it up the priority list! The potential problems could be big, but the risk that there could be a problem is something only you can figure out for your environment.

By: Matthew Irvine

Matthew Irvine — Wed, 09 May 2007 23:58:08 +0000

I’m embarrassed to admit, but all of our APs are straight into the switches with everything else, so are our wired ports in public areas. I don’t have the budget to change it now, and my boss doesn’t see it as a problem. I’ve got to convince him that without pulling those APs into a guest VLAN or at least behind the firewall, that we are quite vulnerable.

By: Clif Guy

Clif Guy — Wed, 09 May 2007 19:34:53 +0000

We’ve thought about doing exactly what you’re considering. I’ve resisted on the principle of “less is more.” With every idea for something new in our network I’m weighing the impact of greater complexity into the decision. We run HP switches too. We have no secure WiFi – all WiFi is on our guest VLAN. For now, we have decided to put network ports in public places on our guest VLAN too. I’m hoping that will provide sufficient security without increasing the management complexity.