- David's Church Information Technology - https://infotech.davidszpunar.com -

802.1x Port-based Authentication

Is anyone else using 802.1x for wired authentication? I’ve got it working for wireless networking, which is pretty cool. But what about wired ports? I don’t necessarily want to go to the trouble of locking down every port on campus with 802.1x. Or do I? But public ports are what worry me. For now, the only wired ports in public areas are either physically unplugged at the rack (since they’re mostly brand new), hooked up to the public wi-fi VLAN so you could get free internet access just as if you had wi-fi, or locked down with port security to only the MAC addresses of the authorized equipment that’s already installed.

But, with 802.1x, there’s the possibility of making the ports automatically members of the public VLAN for free access. But when a computer connects that can authenticate via 802.1x, it can bump them onto the employee VLAN. Sweet. But I need to do some manual-reading and testing on our ProCurve switches. Is it worth the effort? Is the Windows XP SP2 802.1x supplicant good enough, or would we need to pay for a third party supplicant? I’ve noticed that for wireless, the Windows 802.1x supplicant seems to be much better that it was originally, and most laptops are coming with even better software built-in from the manufacturer. A year or two ago, I wouldn’t implement an 802.1x-based network with the Windows XP client if you paid me. Well, depends on how much, but it would hurt anyway…

11 Comments (Open | Close)

11 Comments To "802.1x Port-based Authentication"

#1 Comment By Clif Guy On May 9, 2007 @ 3:34 pm

We’ve thought about doing exactly what you’re considering. I’ve resisted on the principle of “less is more.” With every idea for something new in our network I’m weighing the impact of greater complexity into the decision. We run HP switches too. We have no secure WiFi – all WiFi is on our guest VLAN. For now, we have decided to put network ports in public places on our guest VLAN too. I’m hoping that will provide sufficient security without increasing the management complexity.

#2 Comment By Matthew Irvine On May 9, 2007 @ 7:58 pm

I’m embarrassed to admit, but all of our APs are straight into the switches with everything else, so are our wired ports in public areas. I don’t have the budget to change it now, and my boss doesn’t see it as a problem. I’ve got to convince him that without pulling those APs into a guest VLAN or at least behind the firewall, that we are quite vulnerable.

#3 Comment By David Szpunar On May 10, 2007 @ 11:24 am

Matthew,

We’ve only recently been able to do most of what I’ve mentioned due to replacing our non-managed core switches with managed switches, and at the same time implementing a WLAN solution that has multiple VLAN capability built-in. Employees can still get to the internal network over wireless, but it’s encrypted (still a combination of WPA-PSK for some and WPA with 802.1x for others, moving to all-802.1x in the future). A separate network for public use is operating on a different VLAN, going through our Nomadix AG-3000 access device. The fact that we can use the same access points to do all this (actually we could run up to 16 separate networks on the same APs, each with individualized settings, or 32 if we used an advanced mode) is amazing, and well worth the money in my opinion!

Public wi-fi isn’t an option for many, or at least it’s easy to see the benefits if that’s the direction you want to go. At the same time, security isn’t an option either, but it isn’t always easy in a church environment where the default is often “trust.” Not that trust is a bad thing, but “trust everyone” is a bad policy. Security is a balance between risk and convenience (and cost), so my recommendation is to put it on your projects list, but don’t sweat it in the short term if it’s worked so far. If you have problems, bump it up the priority list! The potential problems could be big, but the risk that there could be a problem is something only you can figure out for your environment.

#4 Comment By Hunter French On May 18, 2007 @ 9:25 am

David – Perhaps you have another blog post on the way about the process you followed to implement 802.1x in your wireless environment. Thanks, Hunter

#5 Comment By David Szpunar On May 18, 2007 @ 10:18 am

Hunter – I’ll see what I can do; I’ll get a post started but not sure when I’ll have time to finish it. I probably won’t get down to the screenshot level but I can give a more in-depth overview of the process I used. Do note that we’re not using certificates yet.

#6 Pingback By Wireless 802.1x Authentication: Overview On May 18, 2007 @ 11:52 pm

[…] been asked to post some information on how I implemented 802.1x authentication in our wireless network. This […]

#7 Comment By Hunter French On May 20, 2007 @ 1:35 pm

David, that would be great. We are migrating to a certificate based WPA from WEP (yikes!). We are currently in the process of building our PKI infrastructure.

#8 Comment By David Szpunar On May 20, 2007 @ 2:54 pm

Hunter – I’ve posted the first set of details on our [1] implementation. More to come. We aren’t using certificates yet, mainly because of the PKI infrastructure required…either we have to pay a lot for third-party certificates, or do an in-house CA (Certificate Authority). I’ve configured an in-house test CA before, but that system failed a while back and without adequate backups for the root cert (actually I had backups, but they wouldn’t restore on a new machine properly) I was left without PKI for now. It’ll come in the future, but I need to learn more about it and do it the right way, the first was more of a half-live lab :-)

I did have certificate-based WPA working with that test PKI at one point, however! This was still back on the Linksys test AP.

#9 Comment By Andrew Miehs On February 14, 2008 @ 6:06 am

Hi David,

I am currently looking at the 802.1x issue as well – I am still having problems to get the Windows clients to cause the switch to send anything to the radius server – I am still playing with the windows supplicant client. I am tending now towards MAC based filtering as I have read that the windows client only authenticates on login…

Cisco recently boot “MeetingPlaces” who make the AEGIS supplicant, and this looks like it may work better than the Windows XP thing – and it seems to be free for wired usage…..

Still looking…

Andrew

#10 Comment By David Szpunar On February 14, 2008 @ 10:57 am

Thanks for the information Andrew! I haven’t had time to pursue this further, but I appreciate you sharing what you’ve found. I’ll definitely check it out when I can look into this some more! For now, I’m simply not even plugging in public network ports physically in the network closet, unless they’re needed. If they are needed, I’m using port security on my HP switches to lock down the port to a single MAC address, and turn off the port if any other addresses are detected. It requires more management, but is simpler to set up for now and there hasn’t been enough of a pressing need to bring the issue to the forefront again yet.

#11 Comment By Stefan On April 13, 2008 @ 5:21 am

Hi List,
I am on that, too.
I tried to auth XP via DLINK switches agaist a free radius server without getting it running smoothly by now.

My questions are:
– I only need MAC-Based placing of the nodes into the VLANs.
How to avoid the “Please Enter … to login to network” message at XP ?
– Anybody out there running a working freeradius config to post it somewhere ?