Educause Security Discussion mailing list archives

Re: 802.1X for wired ports

From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Thu, 17 Jun 2010 08:30:12 +1200


On 16/06/2010, at 3:57 AM, David Gillett wrote:

  I believe 802.1X is a good solution for "inside" ports, but for "public access" ports a captive portal may be a 
better option -- redirects browser requests to a login -page and blocks other traffic until login succeeds).  We 
initially used BlueSocket for our wireless authentication, and it could easily be deployed this way.....


This is what we do with our wireless networks the basic unencrypted access is via captive portal and the encrypted SSID 
that lands inside our network is 802.1x.   We are looking at using 802.1x for wired access for student laptops in 
library and labs.  The main headache we have had with 802.1x is that the CISCO PEAP to our radius involves clients 
having to either preconfigure the radius servers as trusted or click through a dialog box saying the service is 
untrusted the first time you authenticate.

If anyone knows of a way around this I would be delighted to know.

This issue is that PEAP hands off the authentication of the client to the radius  direct.  The client has no way of 
knowing if the radius server is has been pointed to is trustworthy so most ask the user who does not know either.

Russell

David Gillett

From: Entwistle, Bruce [mailto:Bruce_Entwistle () REDLANDS EDU] 
Sent: Monday, June 14, 2010 17:21
To: SECURITY () listserv educause edu
Subject: [SECURITY] 802.1X for wired ports

We are currently looking for a method to secure wired ports located in locations accessible by the general public.  
The network devices to which these ports are connected are Cisco 3750 switches.  I have tested port based 
authentication however I ran into the problem of not having the required supplicant installed.  We are trying to 
avoid having to do configuration on the client(student) machines.  I was looking to find out what others have done to 
prevent users outside the organization from simply connecting their computer through use of a patch cable and surfing 
the Internet.

Thank you
Bruce Entwistle
Network Manager
University of Redlands

Current thread:

802.1X for wired ports Entwistle, Bruce (Jun 14)
- Re: 802.1X for wired ports David Gillett (Jun 15)
  - Re: 802.1X for wired ports Russell Fulton (Jun 16)
  - Re: 802.1X for wired ports Russell Fulton (Jun 16)
    - Re: 802.1X for wired ports Mike Wiseman (Jun 17)
    - Re: 802.1X for wired ports Justin Azoff (Jun 17)
    - Re: 802.1X for wired ports Mike Wiseman (Jun 17)
- Re: 802.1X for wired ports Justin Azoff (Jun 21)
- <Possible follow-ups>
- Re: 802.1X for wired ports James R. Pardonek (Jun 17)
  - Re: 802.1X for wired ports Daniel Bennett (Jun 17)
    - Re: 802.1X for wired ports James R. Pardonek (Jun 17)