Main Nav

Wondering if anyone has implemented wired 802.1x as a form of NAC, and if you could briefly describe how you’re using it. Also, would be interested in the administrative burden you feel it either adds or removes.
 
Thanks-
 
Lee Badman
Network Architect
Syracuse University
 
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

We're looking at it, we recently implemented 802.1x on wireless to allow for a more secure network connection and to remove the need for devices to constantly log in, we've been using Juniper UAC with Odyssey Client and Captive Portal. 

David R.
On 1/9/2013 2:47 PM, Lee H Badman wrote:
Wondering if anyone has implemented wired 802.1x as a form of NAC, and if you could briefly describe how you’re using it. Also, would be interested in the administrative burden you feel it either adds or removes.
 
Thanks-
 
Lee Badman
Network Architect
Syracuse University
 
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.


-- David Robertson Service Delivery Manager Network Engineering Technology George Mason University Voice: 703-993-2443 Fax: 703-993-3505 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

We implemented a system 7-years ago.  Let me preface it by saying the University Medical School falls under the main University of Hawaii Campus, that falls under the UH System.  The University System and our Medical School department are developing updated IT policies.  BYOD is allowed for "work-use" with proper authorization.  We do not run a Hospital and our main facility only supports academic and research environments.   (wired 802.1x only used in limited non-confidential information environments)

We use Cisco ACS as our authentication server with dynamic firewalled intranet vlans, and 802.1x through Cisco VoIP.  Since the University System uses general LDAP(SHA) for Faculty/Staff/Students/Affiliates we couldn't use the System for authentication due to various reasons.  We ran into challenges trying to achieve "single sign-on" due to incompatible stored hashes at System level(generic LDAP), Cisco ACS, Mcrosoft AD, Apple, and various built-in OS supplicant support.  In 2004-2005, wired 802.1x compatibility and functionality needed to mature and was an interesting solution in a public university environment.   In the end, we used local authentication in ACS with Funk Software Odyssey Client, now Juniper OAC, using a common protocol.  We have not integrated 802.1x into domain workstations due to lack of various support resources.

It has been an administrative challenge for hardened devices, multi-user workstations, and "OSI layer 8".  The implementation of the wired 802.1x was a design spec for the new facilities being constructed at the time.  8-years later, we are looking to discontinue wired 802.1x and requiring domain configurations for work related devices that need access to our services/servers.  Generally speaking, the administration is looking at more convenient network access within the protected intranet.  Comprehensive policies would have helped tremendously, however, "OSI layer 8" is typically the major challenge.  Next being competing technologies/services and lack of global standard support within the various platforms.

-Lionel

Lionel Shigemura
Office of Info. Tech.
UH - John A. Burns School of Medicine
(808) 692-1101 voice
(808) 692-1263 fax





On 1/9/2013 10:23 AM, David Robertson wrote:
We're looking at it, we recently implemented 802.1x on wireless to allow for a more secure network connection and to remove the need for devices to constantly log in, we've been using Juniper UAC with Odyssey Client and Captive Portal. 

David R.
On 1/9/2013 2:47 PM, Lee H Badman wrote:
Wondering if anyone has implemented wired 802.1x as a form of NAC, and if you could briefly describe how you’re using it. Also, would be interested in the administrative burden you feel it either adds or removes.
 
Thanks-
 
Lee Badman
Network Architect
Syracuse University
 
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.


-- David Robertson Service Delivery Manager Network Engineering Technology George Mason University Voice: 703-993-2443 Fax: 703-993-3505 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Message from boschetm@ipfw.edu

We have used 802.1x in our Student Housing since 2004. We use it the same way as we use 802.1x on wireless. Students can't get on the network without their username and password. We have since added Enterasys'  NAC to that setup to give us a little more control. For the most part there is almost no administrative burden and we don't have to worry about dealing with machine registration. We also implemented a guest process for when we have non-students in housing. That requires a little work from our Help Desk. We also use the policy features from Enterasys to customize the access given to users when they login. 802.1x has made it very nice when we have to track down someone who is misbehaving. Also when we need to kick them off the network we can enter a reason into the NAC which is displayed to the user if they open a web browser.
Let me know if you would like any more details.



Michael Boschet, Jr.
Senior Network Systems Administrator
Indiana Purdue Fort Wayne
boschetm@ipfw.edu
Office:  (260) 481-5747

>>> Lee H Badman <lhbadman@SYR.EDU> 01/09/13 2:47 PM >>>
Wondering if anyone has implemented wired 802.1x as a form of NAC, and if you could briefly describe how you’re using it. Also, would be interested in the administrative burden you feel it either adds or removes.
 
Thanks-
 
Lee Badman
Network Architect
Syracuse University
 
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

We are looking it using 802.1x for next year to replace our Cisco NAC. Actually 802.1x is the direction Cisco is moving toward for their NAC product. The ISE server replaces the ACS and the Clean Access solution. It's an authentication server with a bunch of other useful features built into it. We're in the very early stage of trialing it and so far it looks very flexible. Some of the features it has is onboarding of client devices and OS identification. I believe you can trial it free from their site.

http://www.cisco.com/en/US/products/ps11640/index.html


On 1/9/2013 2:47 PM, Lee H Badman wrote:
Wondering if anyone has implemented wired 802.1x as a form of NAC, and if you could briefly describe how you’re using it. Also, would be interested in the administrative burden you feel it either adds or removes.
 
Thanks-
 
Lee Badman
Network Architect
Syracuse University
 
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.


-- Vlade Ristevski Network Manager IT Services Ramapo College (201)-684-6854 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

How do you handle student devices that don’t support 802.1X?  I’m thinking along the lines of Xbox, Playstation, Slingbox, etc. 

 

Andy Poirier

Network Administrator

North Central University

612-343-4758

 

Message from boschetm@ipfw.edu

We authenticate them via OS fingerprint. All of our switches have the network drop label assigned as a port alias. For the ones connected wireless we have enough senors to locate them. If we notice any suspicious activity from them we try to contact the user and blacklist the device. On the occasions were we couldn't determine who the user was the blacklisting caused them to call the Help Desk. So problems get straitened out right away. We can also due registrations with the system but we haven't done that yet. I'm sure if we have any issues that will move to the top of my project list.

For things like phones, TVs, etc that aren't allowed by OS fingerprint there is a guest registration process. They have to present a ID to our Help Desk. But we haven't had to many of those each semester. Our Help Desk can authorize the device for 6 months if I remember correctly.


Michael Boschet, Jr.
Senior Network Systems Administrator
Indiana Purdue Fort Wayne
boschetm@ipfw.edu
Office:  (260) 481-5747

>>> Andy Poirier <atpoirie@NORTHCENTRAL.EDU> 01/10/13 10:55 AM >>>

How do you handle student devices that don’t support 802.1X?  I’m thinking along the lines of Xbox, Playstation, Slingbox, etc. 

 

Andy Poirier

Network Administrator

North Central University

612-343-4758

 

In general Cisco handles this with either web-auth or mac-address bypass:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577494.html

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html

In our case, I think we would have the students register their Xboxs and put the mac addresses in the MAB database.

I believe other vendors have some version of MAB in one form or another.

 
On 1/10/2013 10:31 AM, Andy Poirier wrote:

How do you handle student devices that don’t support 802.1X?  I’m thinking along the lines of Xbox, Playstation, Slingbox, etc. 

 

Andy Poirier

Network Administrator

North Central University

612-343-4758

 

Message from boschetm@ipfw.edu

There is. Guest Registration has options for no sponsorship, optional sponsorship, and require sponsorship. Our guest system predates the guest system inEnterasys' NAC, so we have some different functionality. That is main thing slowing us down from turning on the registration process. Do we want to standardize on doing things their way or stay with our current process. We are not entirely happy with ours. So I want to do some in depth analysis before I change anything. We are currently using the authenticate registration process in the NAC for with guest system. So I'm at that fun stage of trying to improve the system without breaking what is already working.

We currently use a combination of switch policies and policy based routing to allow the student to self-provision their accounts. Currently our guests are not allowed to self-provision as they have to show someone their ID.



Michael Boschet, Jr.
Senior Network Systems Administrator
Indiana Purdue Fort Wayne
boschetm@ipfw.edu
Office:  (260) 481-5747

>>> Lee H Badman <lhbadman@SYR.EDU> 01/10/13 12:16 PM >>>

If I’m not mistaken, there is no allowance for true self-provisioning on the guest process?

 

(OK, hijack alert)

. We’ve been thinking about using the network drop label/port alias to help with e911 when we move to VoIP. (Very likely Lync). Is there a way using say LLDP-MED to communicate that to the phone, which can communicate its location to a server. It would also assume that you have a good database of where all of your network drops are located, and I dread the thought of attempting to keep all of this accurate and up-to-date with the amount of renovations etc that we do, but I am curious about the possibilities. We are only legally bound to provide the building location, which is what is done now.

Pete Morrissey

 

What do you use to handle the OS fingerprinting?

Joe Marentette Network Engineer Washington University in St. Louis Network Services & Support 314-935-7031 jmarentette@wustl.edu On 1/10/13 10:15 AM, Michael Boschet wrote:
We authenticate them via OS fingerprint. All of our switches have the network drop label assigned as a port alias. For the ones connected wireless we have enough senors to locate them. If we notice any suspicious activity from them we try to contact the user and blacklist the device. On the occasions were we couldn't determine who the user was the blacklisting caused them to call the Help Desk. So problems get straitened out right away. We can also due registrations with the system but we haven't done that yet. I'm sure if we have any issues that will move to the top of my project list.

For things like phones, TVs, etc that aren't allowed by OS fingerprint there is a guest registration process. They have to present a ID to our Help Desk. But we haven't had to many of those each semester. Our Help Desk can authorize the device for 6 months if I remember correctly.


Michael Boschet, Jr.
Senior Network Systems Administrator
Indiana Purdue Fort Wayne
boschetm@ipfw.edu
Office:  (260) 481-5747

>>> Andy Poirier <atpoirie@NORTHCENTRAL.EDU> 01/10/13 10:55 AM >>>

How do you handle student devices that don’t support 802.1X?  I’m thinking along the lines of Xbox, Playstation, Slingbox, etc. 

 

Andy Poirier

Network Administrator

North Central University

612-343-4758

 

Message from boschetm@ipfw.edu

The Enterasys NAC does OS fingerprinting natively, but I've added nmap to it.


Michael Boschet, Jr.
Senior Network Systems Administrator
Indiana Purdue Fort Wayne
boschetm@ipfw.edu
Office:  (260) 481-5747

>>> Joe Marentette <jmarentette@WUSTL.EDU> 01/11/13 9:43 AM >>>
What do you use to handle the OS fingerprinting?

Joe Marentette
Network Engineer
Washington University in St. Louis
Network Services & Support
314-935-7031
jmarentette@wustl.edu On 1/10/13 10:15 AM, Michael Boschet wrote:
We authenticate them via OS fingerprint. All of our switches have the network drop label assigned as a port alias. For the ones connected wireless we have enough senors to locate them. If we notice any suspicious activity from them we try to contact the user and blacklist the device. On the occasions were we couldn't determine who the user was the blacklisting caused them to call the Help Desk. So problems get straitened out right away. We can also due registrations with the system but we haven't done that yet. I'm sure if we have any issues that will move to the top of my project list.

For things like phones, TVs, etc that aren't allowed by OS fingerprint there is a guest registration process. They have to present a ID to our Help Desk. But we haven't had to many of those each semester. Our Help Desk can authorize the device for 6 months if I remember correctly.


Michael Boschet, Jr.
Senior Network Systems Administrator
Indiana Purdue Fort Wayne
boschetm@ipfw.edu
Office:  (260) 481-5747

>>> Andy Poirier <atpoirie@NORTHCENTRAL.EDU> 01/10/13 10:55 AM >>>

How do you handle student devices that don’t support 802.1X?  I’m thinking along the lines of Xbox, Playstation, Slingbox, etc. 

 

Andy Poirier

Network Administrator

North Central University

612-343-4758

 

How are you dealing with cached passwords in the 1x fabric? Windows doesn't seem to honor its own setting to prompt for a password on reboot. Instead, it seems to only cache .. which leads to a lot of locked AD accounts when the password is reset or expires. -Brian
Message from iam@st-andrews.ac.uk

We've only had a short deployment of cloudpath, someone sold it to our management as a silver bullet. It's not a silver bullet. We use native platform profiles nowadays for dot1x, and cloudpath's been relegated to doing 'macs that are too old to use mobileconfig', which effectively means we'll drop it at the end of this academic year. The only platform that's still really annoying us with no 'download this file & it contains config & certificates and it'll make you a connection profile' support is Android. (if anyone knows any different, let me know). Win Phone 8 looks like it's going to be a pita, it doesn't support eap-tls or eap-ttls/pap (nor much else by way of eap types). Thanks -- ian
Message from a.cudbardb@freeradius.org

On 12 Jan 2013, at 10:02, Ian McDonald wrote: > We've only had a short deployment of cloudpath, someone sold it to our management as a silver bullet. It's not a silver bullet. We use native platform profiles nowadays for dot1x, and cloudpath's been relegated to doing 'macs that are too old to use mobileconfig', which effectively means we'll drop it at the end of this academic year. It was very useful around the time of Windows XP and Vista, but yes, the various Operating system vendors do seem to have caught up. > The only platform that's still really annoying us with no 'download this file & it contains config & certificates and it'll make you a connection profile' support is Android. (if anyone knows any different, let me know). > > Win Phone 8 looks like it's going to be a pita, it doesn't support eap-tls or eap-ttls/pap (nor much else by way of eap types). Brilliant :/ -Arran ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
I could be wrong about this, but although MS and Apple does a decent job negotiating the 1x settings, they don't seem to validate the certificate which protect someone from a man in the middle attack. Pete Morrissey
Windows 7 and Windows 8 will prompt you to accept the new certificate if it changes. (Terminate / Continue box) OS X prompts you to trust the cert on initial connection, but I have not seen it ask again if a new cert is presented. Tim Tim Cappalli ACMP CCNA Network Engineer, Networks and Systems Brandeis University (617) 701-7149 cappalli@brandeis.edu

We got.seriously burned 3 years ago when trying to impliment 802.1x on Cisco 2950s and 4506s for our student population.  We had to touch every machine to set them up for 802.1x even though we had Cloudpath, and even then machines kept coming back to us.  We would get it going but then the computer would go to sleep and not get back on, or the user would change their password and then be locked out.  After countless packet captures we determined that the Cisco gear was sending the Eapol packet to set the whole thing off but the clients wouldn't respond.  When they did respond we could see the Radius packet leave the switch and the awk come back and all was well but the supplicants would fail on a regular basis and the machines would come back to us.  To us it was clear that 802.1x was not ready for prime time at least not on the wired side of consumer OSs like any Apple device, Vista etc.  Apple isn't ready on wired or wireless as far as I'm concerned with their not being willing to deal with the password change issue.  With Apple you have to blow away your key chain when your password changes if you are caching. 

The reason we were trying 802.1x is that Cisco only offered a partial 802.1x feature set.  They did not offer Mac-Auth-Bipass, a feature required by our NAC, also Enterasys.  Basically if a machine cannot handle 802.1x the switch passes the machine's mac address instead to NAC for authentication.  If that feature is not present then full blown 802.1X is the only other option. 

We ended up pulling the plug on NAC that year and bought and Enterasys switch the next year an uplinked all of the dorms to that for an up stream authentication and assessment point.  Then the next year we replaced all of the Cisco stuff with Enterasys and wired NAC in the reshalls has been great ever since.  I use the term "great" loosely as NAC is a bugger to manage even on its best day.

As for 802.1x on student machines on the wired side.......worst week of my life hands down.   I shiver at the thought of trying that again.  I would go very slowly.  I would not try this during a break campus wide while students are gone and hope that all goes well when the students return.

John Kaftan
IT Infrastructure Manager
Utica College

On Jan 10, 2013 9:57 AM, "Michael Boschet" <boschetm@ipfw.edu> wrote:
We have used 802.1x in our Student Housing since 2004. We use it the same way as we use 802.1x on wireless. Students can't get on the network without their username and password. We have since added Enterasys'  NAC to that setup to give us a little more control. For the most part there is almost no administrative burden and we don't have to worry about dealing with machine registration. We also implemented a guest process for when we have non-students in housing. That requires a little work from our Help Desk. We also use the policy features from Enterasys to customize the access given to users when they login. 802.1x has made it very nice when we have to track down someone who is misbehaving. Also when we need to kick them off the network we can enter a reason into the NAC which is displayed to the user if they open a web browser.
Let me know if you would like any more details.



Michael Boschet, Jr.
Senior Network Systems Administrator
Indiana Purdue Fort Wayne
boschetm@ipfw.edu
Office:  (260) 481-5747

>>> Lee H Badman <lhbadman@SYR.EDU> 01/09/13 2:47 PM >>>
Wondering if anyone has implemented wired 802.1x as a form of NAC, and if you could briefly describe how you’re using it. Also, would be interested in the administrative burden you feel it either adds or removes.
 
Thanks-
 
Lee Badman
Network Architect
Syracuse University
 
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

We verified the vulnerability by performing the actual MITM attack due to lack of cert checking and our ISO escalated to both vendors about two years ago but got zero response.  That was a while back, we have not taken the time to check the latest OSX/Windows operating systems for behavior.  


-William

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Message from boschetm@ipfw.edu

They do validate the certificate. But, at least on the Window's side, you can turn of validation. We don't rely on 802.1x alone for security. I have a array of sensors watching what is happening. I am a bit paranoid about man-in-the-middle attacks. So I have the sensitivity of our sensor turned up and thl system alerts me if it suspects anything.

Sent from my Verizon Wireless 4G LTE DROID


"Peter P Morrissey <ppmorris@SYR.EDU>" <ppmorris@SYR.EDU> wrote:


>>> "Peter P Morrissey " 2013-01-12T18:01:55.050339 >>>
I could be wrong about this, but although MS and Apple does a decent job negotiating the 1x settings, they don't seem to validate the certificate which protect someone from a man in the middle attack.
Pete Morrissey

Message from iam@st-andrews.ac.uk

Needing connectivity to set up your connectivity is a fail in my book. -- ian
On 1/13/2013 3:57 PM, Ian McDonald wrote: > Needing connectivity to set up your connectivity is a fail in my book. We run a "setup" SSID which is open and plaintext and has a captive portal webpage for XpressConnect. After XpressConnect runs, you have our authentication servers' certificates installed (works on our WPA2 secured SSID as well as eduroam), the setup SSID is removed from connection preferences, and the secure SSID pushed for preferred / automatic. So no, it's not a catch-22, unless it's one of those users with their wireless adapter turned off or disabled :) Jeff ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Message from iam@st-andrews.ac.uk

As do we, but if you need to allow internet access from there to google's store, where does it end?
On 1/13/2013 4:09 PM, Ian McDonald wrote: > As do we, but if you need to allow internet access from there to google's store, where does it end? There are a "number of provisions" that must be made these days, and they are increasing. Windows has their "connectivity status" site. Apple has a "connectivity status" site. There's the Google store. There's the Amazon store. I suspect there's a Nook store. Kindle Fire HD's new Silk browser, with "acceleration" enabled, attempt to use cloud proxy servers... pages will load blanks if they can't reach the cloud, or you don't disable acceleration on the browser. We grab DNS, and only forward the valid sites for resolution, returning the portal IP for others. Somewhat kludgy, but better than trying to maintain a list of valid destination IPs for all the content-delivery network based targets. Just part of the never ending cat and mouse games we have to play with all the new devices :( Jeff ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Wondering if anyone has implemented wired 802.1x as a form of NAC, and if you could briefly describe how you’re using it. Also, would be interested in the administrative burden you feel it either adds or removes.
 
Thanks-
 
Lee Badman
Network Architect
Syracuse University
 
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

We're looking at it, we recently implemented 802.1x on wireless to allow for a more secure network connection and to remove the need for devices to constantly log in, we've been using Juniper UAC with Odyssey Client and Captive Portal. 

David R.
On 1/9/2013 2:47 PM, Lee H Badman wrote:
Wondering if anyone has implemented wired 802.1x as a form of NAC, and if you could briefly describe how you’re using it. Also, would be interested in the administrative burden you feel it either adds or removes.
 
Thanks-
 
Lee Badman
Network Architect
Syracuse University
 
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.


-- David Robertson Service Delivery Manager Network Engineering Technology George Mason University Voice: 703-993-2443 Fax: 703-993-3505 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

We implemented a system 7-years ago.  Let me preface it by saying the University Medical School falls under the main University of Hawaii Campus, that falls under the UH System.  The University System and our Medical School department are developing updated IT policies.  BYOD is allowed for "work-use" with proper authorization.  We do not run a Hospital and our main facility only supports academic and research environments.   (wired 802.1x only used in limited non-confidential information environments)

We use Cisco ACS as our authentication server with dynamic firewalled intranet vlans, and 802.1x through Cisco VoIP.  Since the University System uses general LDAP(SHA) for Faculty/Staff/Students/Affiliates we couldn't use the System for authentication due to various reasons.  We ran into challenges trying to achieve "single sign-on" due to incompatible stored hashes at System level(generic LDAP), Cisco ACS, Mcrosoft AD, Apple, and various built-in OS supplicant support.  In 2004-2005, wired 802.1x compatibility and functionality needed to mature and was an interesting solution in a public university environment.   In the end, we used local authentication in ACS with Funk Software Odyssey Client, now Juniper OAC, using a common protocol.  We have not integrated 802.1x into domain workstations due to lack of various support resources.

It has been an administrative challenge for hardened devices, multi-user workstations, and "OSI layer 8".  The implementation of the wired 802.1x was a design spec for the new facilities being constructed at the time.  8-years later, we are looking to discontinue wired 802.1x and requiring domain configurations for work related devices that need access to our services/servers.  Generally speaking, the administration is looking at more convenient network access within the protected intranet.  Comprehensive policies would have helped tremendously, however, "OSI layer 8" is typically the major challenge.  Next being competing technologies/services and lack of global standard support within the various platforms.

-Lionel

Lionel Shigemura
Office of Info. Tech.
UH - John A. Burns School of Medicine
(808) 692-1101 voice
(808) 692-1263 fax





On 1/9/2013 10:23 AM, David Robertson wrote:
We're looking at it, we recently implemented 802.1x on wireless to allow for a more secure network connection and to remove the need for devices to constantly log in, we've been using Juniper UAC with Odyssey Client and Captive Portal. 

David R.
On 1/9/2013 2:47 PM, Lee H Badman wrote:
Wondering if anyone has implemented wired 802.1x as a form of NAC, and if you could briefly describe how you’re using it. Also, would be interested in the administrative burden you feel it either adds or removes.
 
Thanks-
 
Lee Badman
Network Architect
Syracuse University
 
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.


-- David Robertson Service Delivery Manager Network Engineering Technology George Mason University Voice: 703-993-2443 Fax: 703-993-3505 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Message from boschetm@ipfw.edu

We have used 802.1x in our Student Housing since 2004. We use it the same way as we use 802.1x on wireless. Students can't get on the network without their username and password. We have since added Enterasys'  NAC to that setup to give us a little more control. For the most part there is almost no administrative burden and we don't have to worry about dealing with machine registration. We also implemented a guest process for when we have non-students in housing. That requires a little work from our Help Desk. We also use the policy features from Enterasys to customize the access given to users when they login. 802.1x has made it very nice when we have to track down someone who is misbehaving. Also when we need to kick them off the network we can enter a reason into the NAC which is displayed to the user if they open a web browser.
Let me know if you would like any more details.



Michael Boschet, Jr.
Senior Network Systems Administrator
Indiana Purdue Fort Wayne
boschetm@ipfw.edu
Office:  (260) 481-5747

>>> Lee H Badman <lhbadman@SYR.EDU> 01/09/13 2:47 PM >>>
Wondering if anyone has implemented wired 802.1x as a form of NAC, and if you could briefly describe how you’re using it. Also, would be interested in the administrative burden you feel it either adds or removes.
 
Thanks-
 
Lee Badman
Network Architect
Syracuse University
 
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

We are looking it using 802.1x for next year to replace our Cisco NAC. Actually 802.1x is the direction Cisco is moving toward for their NAC product. The ISE server replaces the ACS and the Clean Access solution. It's an authentication server with a bunch of other useful features built into it. We're in the very early stage of trialing it and so far it looks very flexible. Some of the features it has is onboarding of client devices and OS identification. I believe you can trial it free from their site.

http://www.cisco.com/en/US/products/ps11640/index.html


On 1/9/2013 2:47 PM, Lee H Badman wrote:
Wondering if anyone has implemented wired 802.1x as a form of NAC, and if you could briefly describe how you’re using it. Also, would be interested in the administrative burden you feel it either adds or removes.
 
Thanks-
 
Lee Badman
Network Architect
Syracuse University
 
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.


-- Vlade Ristevski Network Manager IT Services Ramapo College (201)-684-6854 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

How do you handle student devices that don’t support 802.1X?  I’m thinking along the lines of Xbox, Playstation, Slingbox, etc. 

 

Andy Poirier

Network Administrator

North Central University

612-343-4758

 

Message from boschetm@ipfw.edu

We authenticate them via OS fingerprint. All of our switches have the network drop label assigned as a port alias. For the ones connected wireless we have enough senors to locate them. If we notice any suspicious activity from them we try to contact the user and blacklist the device. On the occasions were we couldn't determine who the user was the blacklisting caused them to call the Help Desk. So problems get straitened out right away. We can also due registrations with the system but we haven't done that yet. I'm sure if we have any issues that will move to the top of my project list.

For things like phones, TVs, etc that aren't allowed by OS fingerprint there is a guest registration process. They have to present a ID to our Help Desk. But we haven't had to many of those each semester. Our Help Desk can authorize the device for 6 months if I remember correctly.


Michael Boschet, Jr.
Senior Network Systems Administrator
Indiana Purdue Fort Wayne
boschetm@ipfw.edu
Office:  (260) 481-5747

>>> Andy Poirier <atpoirie@NORTHCENTRAL.EDU> 01/10/13 10:55 AM >>>

How do you handle student devices that don’t support 802.1X?  I’m thinking along the lines of Xbox, Playstation, Slingbox, etc. 

 

Andy Poirier

Network Administrator

North Central University

612-343-4758

 

If I’m not mistaken, there is no allowance for true self-provisioning on the guest process?

 

In general Cisco handles this with either web-auth or mac-address bypass:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577494.html

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html

In our case, I think we would have the students register their Xboxs and put the mac addresses in the MAB database.

I believe other vendors have some version of MAB in one form or another.

 
On 1/10/2013 10:31 AM, Andy Poirier wrote:

How do you handle student devices that don’t support 802.1X?  I’m thinking along the lines of Xbox, Playstation, Slingbox, etc. 

 

Andy Poirier

Network Administrator

North Central University

612-343-4758

 

Message from boschetm@ipfw.edu

There is. Guest Registration has options for no sponsorship, optional sponsorship, and require sponsorship. Our guest system predates the guest system inEnterasys' NAC, so we have some different functionality. That is main thing slowing us down from turning on the registration process. Do we want to standardize on doing things their way or stay with our current process. We are not entirely happy with ours. So I want to do some in depth analysis before I change anything. We are currently using the authenticate registration process in the NAC for with guest system. So I'm at that fun stage of trying to improve the system without breaking what is already working.

We currently use a combination of switch policies and policy based routing to allow the student to self-provision their accounts. Currently our guests are not allowed to self-provision as they have to show someone their ID.



Michael Boschet, Jr.
Senior Network Systems Administrator
Indiana Purdue Fort Wayne
boschetm@ipfw.edu
Office:  (260) 481-5747

>>> Lee H Badman <lhbadman@SYR.EDU> 01/10/13 12:16 PM >>>

If I’m not mistaken, there is no allowance for true self-provisioning on the guest process?

 

(OK, hijack alert)

. We’ve been thinking about using the network drop label/port alias to help with e911 when we move to VoIP. (Very likely Lync). Is there a way using say LLDP-MED to communicate that to the phone, which can communicate its location to a server. It would also assume that you have a good database of where all of your network drops are located, and I dread the thought of attempting to keep all of this accurate and up-to-date with the amount of renovations etc that we do, but I am curious about the possibilities. We are only legally bound to provide the building location, which is what is done now.

Pete Morrissey

 

What do you use to handle the OS fingerprinting?

Joe Marentette Network Engineer Washington University in St. Louis Network Services & Support 314-935-7031 jmarentette@wustl.edu On 1/10/13 10:15 AM, Michael Boschet wrote:
We authenticate them via OS fingerprint. All of our switches have the network drop label assigned as a port alias. For the ones connected wireless we have enough senors to locate them. If we notice any suspicious activity from them we try to contact the user and blacklist the device. On the occasions were we couldn't determine who the user was the blacklisting caused them to call the Help Desk. So problems get straitened out right away. We can also due registrations with the system but we haven't done that yet. I'm sure if we have any issues that will move to the top of my project list.

For things like phones, TVs, etc that aren't allowed by OS fingerprint there is a guest registration process. They have to present a ID to our Help Desk. But we haven't had to many of those each semester. Our Help Desk can authorize the device for 6 months if I remember correctly.


Michael Boschet, Jr.
Senior Network Systems Administrator
Indiana Purdue Fort Wayne
boschetm@ipfw.edu
Office:  (260) 481-5747

>>> Andy Poirier <atpoirie@NORTHCENTRAL.EDU> 01/10/13 10:55 AM >>>

How do you handle student devices that don’t support 802.1X?  I’m thinking along the lines of Xbox, Playstation, Slingbox, etc. 

 

Andy Poirier

Network Administrator

North Central University

612-343-4758

 

Message from boschetm@ipfw.edu

The Enterasys NAC does OS fingerprinting natively, but I've added nmap to it.


Michael Boschet, Jr.
Senior Network Systems Administrator
Indiana Purdue Fort Wayne
boschetm@ipfw.edu
Office:  (260) 481-5747

>>> Joe Marentette <jmarentette@WUSTL.EDU> 01/11/13 9:43 AM >>>
What do you use to handle the OS fingerprinting?

Joe Marentette
Network Engineer
Washington University in St. Louis
Network Services & Support
314-935-7031
jmarentette@wustl.edu On 1/10/13 10:15 AM, Michael Boschet wrote:
We authenticate them via OS fingerprint. All of our switches have the network drop label assigned as a port alias. For the ones connected wireless we have enough senors to locate them. If we notice any suspicious activity from them we try to contact the user and blacklist the device. On the occasions were we couldn't determine who the user was the blacklisting caused them to call the Help Desk. So problems get straitened out right away. We can also due registrations with the system but we haven't done that yet. I'm sure if we have any issues that will move to the top of my project list.

For things like phones, TVs, etc that aren't allowed by OS fingerprint there is a guest registration process. They have to present a ID to our Help Desk. But we haven't had to many of those each semester. Our Help Desk can authorize the device for 6 months if I remember correctly.


Michael Boschet, Jr.
Senior Network Systems Administrator
Indiana Purdue Fort Wayne
boschetm@ipfw.edu
Office:  (260) 481-5747

>>> Andy Poirier <atpoirie@NORTHCENTRAL.EDU> 01/10/13 10:55 AM >>>

How do you handle student devices that don’t support 802.1X?  I’m thinking along the lines of Xbox, Playstation, Slingbox, etc. 

 

Andy Poirier

Network Administrator

North Central University

612-343-4758

 

Message from a.cudbardb@freeradius.org

On 9 Jan 2013, at 19:47, Lee H Badman wrote: > Wondering if anyone has implemented wired 802.1x as a form of NAC, and if you could briefly describe how you’re using it. Also, would be interested in the administrative burden you feel it either adds or removes. > Sussex started using 802.1X on the residential network in 2007. We used HP's version of MAB to present a captive portal to unregistered devices which gave users instructions on how to configure the supplicant. Later because of the increased load on the helpdesk we deployed Cloudpath's xpressConnect which is a disolvable client that automatically configures the supplicant and ensured drivers, and service packs were all up to date. We were going to use SoH (an optional component of EAP-PEAP) to start doing posture assessment (it can report at login time on Firewall/Antivirus patch levels etc..), but I left before that got implemented. SoH is nice in that it only needs to be enabled, there's no additional clients to install, but also limited in that only the Windows supplicant has any kind of meaningful support. -Arran ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.