Educause Security Discussion mailing list archives

Re: 802.1x Question

From: Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>
Date: Wed, 30 Mar 2011 16:19:52 -0400

Of course, with wireless it is quite easy to accomplish this at relatively
low or no cost, imho if you're using 802.1x authentication and modern
wireless hardware.  Wired, however, might present some challenges
depending on your enviroment.   If you have $ to throw at the issue,
Bradford Networks' Campus Manager can handle this pretty well and
considerably more. 

Dexter Caldwell
Information Security Administrator
Information Technology Services
Furman University
3300 Poinsett Hwy
Greenville, SC 29613
email: dexter.caldwell () furman edu
office: 864-294-3566

The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> writes:

I wished to obtain some opinions on a particular topic.  We are
reviewing new proposals for our network configuration, and came across an
issue we have debated internally.  To offer some background, our network
requirements were to provide a dynamic configuration of both wired and
wireless ports.  In the past, each port (student or faculty/staff) were
static.

One proposal included the following configuration using 802.1x.  By
default, all devices would be placed within a guest VLAN.  A Cisco ACS
server would be configured to authenticate against our local Active
Directory database for group membership.  So if a faculty user account
is used, the machine would be placed within the faculty/staff VLAN.  If
a student logs in, the device would be placed within the student VLAN. 
If the device is not successfully authenticated, it would remain within
the guest VLAN.

The problem we have determined is the access required by the guest
VLAN.  Since it is the default VLAN initially, it would require access
to our Active Directory domain controllers to authenticate.  If someone
would take a new machine and wished to add it to our local Windows
domain, it too would need access to the domain controllers.  But this
appears to be a huge security hole to us, as a machine within the guest
VLAN would have direct access to our DC’s.  

So we wished to query how others were handling 802.1x authentication. 
One potential solution would be to have another VLAN as the initial
value, and place devices that would not authenticate successfully to the
guest VLAN.  But we wished to obtain some opinions on this subject
before moving forward.  Thanks.

Current thread:

802.1x Question Sam Walker (Mar 29)
- Re: 802.1x Question Guillaume Germain (Mar 29)
- Re: 802.1x Question Dr. Wole Akpose (Mar 29)
- Re: 802.1x Question Christian Heroux (Mar 29)
  - Security projects and web application firewall Youngquist, Jason R. (Mar 30)
    - Re: Security projects and web application firewall Daniel Bennett (Mar 30)
    - Re: Security projects and web application firewall SCHALIP, MICHAEL (Mar 30)
- Re: 802.1x Question Dexter Caldwell (Mar 30)