Educause Security Discussion mailing list archives
Re: NAC for all wired and wireless networks
From: "Aaron S. Thompson" <athompson () BERKLEE EDU>
Date: Tue, 13 Jul 2010 16:49:52 -0400
Hi All: Our design has four flavors of wireless and touches a few of the topics that we are all reviewing. Berklee-Staff Berklee-Student Berklee-Sponsored Berklee-Guest All are campus wide with Staff and Student being unrestricted utilizing 802.1x (TTLS-WPA2-EAS) for authentication and encryption. We have found little need for any kind of posture checking as we are 99% OS X. Berklee-Sponsored is a captive portal type connection that requires a specific LDAP privilege for a staff member to authenticate the connection. This is centrally controlled and utilizes a trust model for identity concerns with email receipts, heavy logging and tracking. Berklee-Guest is similar but it's a generic internet connection with traffic restrictions/shaping and the sponsorship privilege is open to any Faculty, Staff or Student. There is a capability to have posture checking, quarantine and remediation services if your interested. This is all done via open source with no controller at a very low cost. (minus access points!) The system is very scaleable and maintains max throughput of the access points. We use FreeRadius, OpenLDAP and PacketFence. If anyone would like to know more on what we are doing feel free to let me know. Regards, Aaron - Aaron Thompson Network Services Manager Network and Telecommunications Berklee College of Music 1140 Boylston Street, MS-186 NETT Boston, MA 02215-3693 617.747.8656 athompson () berklee edu www.berklee.edu On Jul 6, 2010, at 1:54 PM, Steve Werby wrote:
We are researching alternatives for assessing endpoint security of end user devices (not servers) connecting to our wired and wireless networks. We're primarily concerned with desktops and laptops and assessing 1. OS patch level and 2. an acceptable antivirus product is installed, running and that the software and virus definitions are recent. Student workstations and a large percentage of employee workstations are not centrally managed. Authentication is required to access our wireless networks, but is not currently required to access our wired networks. Because of this, a network solution is a better fit than an endpoint solution. The university has roughly 32,000 students and 10,000 employees. We currently use Cisco NAC on our residential network only. Deploying that across the enterprise is cost-prohibitive and Cisco is recommending a different solution than what we have deployed. Have you deployed a solution or compensating controls with similar scope? Have you researched alternatives? Any details you can provide concerning your deployments, research or experience pursuing solutions would be helpful, as would pointers to any particular institutions you're aware of who have successfully deployed a solution. I'm also particularly interested in whether you have any experience with PacketFence (http://www.packetfence.org/en/home.html), which is an open source NAC. -- Steve Werby Information Security Officer Virginia Commonwealth University VCU Information Security - http://infosecurity.vcu.edu/ News, Tips & More - http://www.twitter.com/vcuinfosec Best Practices - http://infosecurity.vcu.edu/docs/infosecbp.pdf
Attachment:
smime.p7s
Description:
Current thread:
- NAC for all wired and wireless networks Steve Werby (Jul 06)
- Re: NAC for all wired and wireless networks Aaron S. Thompson (Jul 13)