Re: 802.1x Question

[Christian Heroux <Christian.Heroux () ETSMTL CA>]

Hello!

 

I have see this problem encounter by another university during a presentation. They seem to have done it in 2 steps!

 

Authenticating the machine give you access to the Active Directory vlan.

Then authenticating the user then give you access to the right vlan according to your profile.

 

Not sure if that would help in your case

 

Only the AAA or network device need access Active directory during the 802.1x authentication process...not the end user 
computer. 

 

We are looking to implement 802.1x only public jack so we don`t go that far to switch the user into another vlan...for 
the moment

 

Cordialement

 

Christian Héroux Ing., M.Ing., ITIL 

Section systèmes, infrastructures et télécommunications 

École de Technologie Supérieure

Montréal Qc

Canada

Courriel: christian.heroux () etsmtl ca <mailto:jean-charles.cazale () etsmtl ca> 

Téléphone:(514) 396-8800 ext 7863

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sam 
Walker
Sent: 29 mars 2011 12:38
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] 802.1x Question

 

I wished to obtain some opinions on a particular topic.  We are reviewing new proposals for our network configuration, 
and came across an issue we have debated internally.  To offer some background, our network requirements were to 
provide a dynamic configuration of both wired and wireless ports.  In the past, each port (student or faculty/staff) 
were static.

One proposal included the following configuration using 802.1x.  By default, all devices would be placed within a guest 
VLAN.  A Cisco ACS server would be configured to authenticate against our local Active Directory database for group 
membership.  So if a faculty user account is used, the machine would be placed within the faculty/staff VLAN.  If a 
student logs in, the device would be placed within the student VLAN.  If the device is not successfully authenticated, 
it would remain within the guest VLAN.

The problem we have determined is the access required by the guest VLAN.  Since it is the default VLAN initially, it 
would require access to our Active Directory domain controllers to authenticate.  If someone would take a new machine 
and wished to add it to our local Windows domain, it too would need access to the domain controllers.  But this appears 
to be a huge security hole to us, as a machine within the guest VLAN would have direct access to our DC's.  

So we wished to query how others were handling 802.1x authentication.  One potential solution would be to have another 
VLAN as the initial value, and place devices that would not authenticate successfully to the guest VLAN.  But we wished 
to obtain some opinions on this subject before moving forward.  Thanks.