Re: 802.1X for wired ports

[Mike Wiseman <mike.wiseman () UTORONTO CA>]

When I worked on a wireless 802.1X PEAPv0 and TTLS deployment, I thought about the same thing - why can't the radius 
endpoint be verified similar to TLS websites eg. via certificate path validation. It's just not possible without the 
user making the decision or having his device configured in some secure way (which BTW applies to websites also). 
Because an intruder can buy a cert for his radius server so someone has to pick between radius.myschool.edu and 
gotcha-radius.myschool.edu.

Mike



Mike Wiseman
Information Security Group
University of Toronto





On 16/06/2010, at 3:57 AM, David Gillett wrote:


  I believe 802.1X is a good solution for "inside" ports, but for "public access" ports a captive portal may be a 
better option -- redirects browser requests to a login -page and blocks other traffic until login succeeds).  We 
initially used BlueSocket for our wireless authentication, and it could easily be deployed this way.....

This is what we do with our wireless networks the basic unencrypted access is via captive portal and the encrypted SSID 
that lands inside our network is 802.1x.   We are looking at using 802.1x for wired access for student laptops in 
library and labs.  The main headache we have had with 802.1x is that the CISCO PEAP to our radius involves clients 
having to either preconfigure the radius servers as trusted or click through a dialog box saying the service is 
untrusted the first time you authenticate.

If anyone knows of a way around this I would be delighted to know.

This issue is that PEAP hands off the authentication of the client to the radius  direct.  The client has no way of 
knowing if the radius server is has been pointed to is trustworthy so most ask the user who does not know either.

Russell




David Gillett

________________________________
From: Entwistle, Bruce [mailto:Bruce_Entwistle () REDLANDS EDU]
Sent: Monday, June 14, 2010 17:21
To: SECURITY () listserv educause edu<mailto:SECURITY () listserv educause edu>
Subject: [SECURITY] 802.1X for wired ports
We are currently looking for a method to secure wired ports located in locations accessible by the general public.  The 
network devices to which these ports are connected are Cisco 3750 switches.  I have tested port based authentication 
however I ran into the problem of not having the required supplicant installed.  We are trying to avoid having to do 
configuration on the client(student) machines.  I was looking to find out what others have done to prevent users 
outside the organization from simply connecting their computer through use of a patch cable and surfing the Internet.

Thank you
Bruce Entwistle
Network Manager
University of Redlands