802.1x port based authentication

[jlazzaro]

Anyone ever implement 802.1x port based authentication on a large scale? We always have visitors at our main building and are looking for a way to eliminate their access. At a previous job MetaIP mac databases were implemented...only known mac address are given ip addresses. It worked like a charm, but managing 4000+ mac addresses wasnt fun.

For this solution I wouldnt go the mac address route...most likely AD username/passwords using PEAP and Radius. I'm just unsure how the credentials are actually passed through. Is access given everytime a user logs on? Does it use the current credentials when you initially login to the domain or are there other steps?

Any pitfalls associated with this type of authentication? I'm aware of the problem with a hub on one of the switchports. Failed authentication would cut everyone on that switchport correct? Any input is appreciated!

 

[nightowl]

You can do user authentication but that can cause problems with logging on since you cannot get an ip address until you log on. A better way to go in my opinion is to do machine authentication. It is just as secure and you still have to log on to the machine to get access. As soon as you remove the maching from the network the port becomes unauthorized and no one can access the port. As far as the hub being used, users still cannot access the network unless they spoof the mac-address of the authorized machine. This is because as soon as a second mac-address is seen on the port the port is shut down. As far as the authentication type EAP-TLS works well and is certificate based. Each PC has a cert and that is the credentials that are used to allow access. If you have any other questions just let me know.

 

[Darthkim]

Yup, we've been running it for about 2 years now. PEAP with Cisco ACS, on Cisco networking gear.

I would highly recommend that you read the dot1x papers published by microsoft and Cisco.
The papers outline the process of authentication and infrastructure implementation

It does take a bit of effort to install and it helps tremendously if your clients are on win xp sp1 and using a single platform networking infrastructure.

There are different ways around the hub issue (such as allowing multiple host per interface, etc). even if someone put a hub between the switch and the host, the minute the switch detects another mac address, it will switch the port from passing to failed.

Credentials are passed through using broadcast between the computer and switch. As soon as switchport state changes, the switch listens for specific packets. Once the pc boots into an O/S, it should send out initialization packets to the switch. Switch responds, computer sends credentials, switch passes credentials to radius, authenticates credentials, verifies if any other parameters needs to be sent (such as user specific vlans, ACL, NAC-related stuff), and then brings the switchport up.

Guest vlan access works the same way. A guest with no dot1x won't send the initialization packet, so the switch (after a specific timeout value) will fail the switch and place them in a guest vlan. However, most laptops with sp1 or 2, have dot1x enabled in a non-functioning manner, so depending on your switch manufacturer, it should be able to tell the difference between a valid and invalid dot1x request.

Using everything cisco and Microsoft, it took a good amount of testing to smooth it out. I would highly recommend testing this in a lab and working it out before deploying it to production.

 

[cmetz]

jlazzaro, 802.1x works reasonably well, but it's definitely a bit rough to get set up. There is a lot of outdated info on the web about how to set it up, be careful.

Dell's 34xx switches have a retarded implementation that won't honor the RADIUS VLAN attributes. Cisco and Extreme work.

FreeRADIUS works great and can back-end to NTLM. It might be possible to do the authentication with Windows Server 2003 IAS directly, don't know, don't particularly care (yeah, I want *more* Windows in my infrastructure...).

Windows is a PITA about certs. It will mysteriously not take certs that are formatted in a standards compliant but not the way MS does it format. So be careful with OpenSSL or generate the certs in MS-land. Also, I haven't found a user-proof way to get the certs installed in the right Windows keyrings. (you have to tell it to put the CA key on the "trusted root certificate authorities" ring, which isn't the default, and try getting a non-technical person to reliably pick the right choice from the drop-down...").

If you do things right, you can get WPA/WPA2 RADIUS/EAP mode infrastructure "for free" and lock down wireless well.