EAP-TNC support or any other method to enforce some security policies on client?
Hello all! I've found couple of discussions regarding implementation of EAP-TNC in FreeRADIUS (in 2008 and 2013) as well as some core here: https://github.com/trustathsh/tnc-fhh What is a current status of EAP-TNC? Is is integrated into FreeRADIUS? If so, how can I configure it? I guess that built-in TNC was abandoned. Are there any 3rd-party products (probably propriertary) which can extend my FreeRADIUS deployment with security compliance checks? I'd like to enforce specific antivirus software for some platforms, password and screen saver policies mostly for BYOD devices. Thank you. -- Bogdan Rudas Director of IT Europe Exadel Inc. http://www.exadel.com/ E-mail: brudas@exadel.com Skype ID: bogdan.rudas -- CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. If you are not the intended recipient you are hereby notified that using, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error please notify the sender and delete this email.
PEAP can do this by default for various client platforms - eg Windows - when used with the SoH method. FreeRADIUS supports this (as does NPS) - you can then check antivirus, firewall, anti-malware and patching...and enforce policies (such as drop non compliant systems into a remediation network where they cant do anything other than download patches etc - FR itself doesnt do THAT bit of course, thats down to VLAN policies, firewalling and proxies etc). alan On 17 March 2018 at 19:43, Bogdan Rudas via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hello all!
I've found couple of discussions regarding implementation of EAP-TNC in FreeRADIUS (in 2008 and 2013) as well as some core here: https://github.com/trustathsh/tnc-fhh
What is a current status of EAP-TNC? Is is integrated into FreeRADIUS? If so, how can I configure it? I guess that built-in TNC was abandoned. Are there any 3rd-party products (probably propriertary) which can extend my FreeRADIUS deployment with security compliance checks? I'd like to enforce specific antivirus software for some platforms, password and screen saver policies mostly for BYOD devices.
Thank you.
-- Bogdan Rudas Director of IT Europe Exadel Inc. http://www.exadel.com/ E-mail: brudas@exadel.com Skype ID: bogdan.rudas
--
CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. If you are not the intended recipient you are hereby notified that using, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error please notify the sender and delete this email. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan Buxey <alan.buxey@gmail.com>:
PEAP can do this by default for various client platforms - eg Windows - when used with the SoH method. FreeRADIUS supports this (as does NPS) - you can then check antivirus, firewall, anti-malware and patching...
...on Windows older than 10... MS removed support for SoH early in the Win10 chain. Before that happened it looked like SoH was the way forward in the NAC space and might become a de-facto standard like PEAP did, but now MS is instead pushing cloud services that babysit hosts all the way through the firmware boot process.
On Mar 17, 2018, at 7:43 PM, Bogdan Rudas via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I've found couple of discussions regarding implementation of EAP-TNC in FreeRADIUS (in 2008 and 2013) as well as some core here: https://github.com/trustathsh/tnc-fhh
What is a current status of EAP-TNC? Is is integrated into FreeRADIUS?
It's in v3. It can be configured... somehow. TBH, I haven't looked at it in years.
If so, how can I configure it? I guess that built-in TNC was abandoned.
TNC as a whole has largely been abandoned.
Are there any 3rd-party products (probably propriertary) which can extend my FreeRADIUS deployment with security compliance checks?
TNC / NAC has largely been abandoned.
I'd like to enforce specific antivirus software for some platforms, password and screen saver policies mostly for BYOD devices.
Does the OS support that enforcement? a) yes, use OS-specific tools to enforce it b) no, it's impossible, even if TNC worked. Alan DeKok.
Hi! Thank you for clarification. Since TNC ignored by Microsoft, could are there other solutions to enforce compliant and quarantine violators, agent-based solutions, MDM and so in during network authentication? On Mon, Mar 19, 2018 at 1:31 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 17, 2018, at 7:43 PM, Bogdan Rudas via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
I've found couple of discussions regarding implementation of EAP-TNC in FreeRADIUS (in 2008 and 2013) as well as some core here: https://github.com/trustathsh/tnc-fhh
What is a current status of EAP-TNC? Is is integrated into FreeRADIUS?
It's in v3. It can be configured... somehow. TBH, I haven't looked at it in years.
If so, how can I configure it? I guess that built-in TNC was abandoned.
TNC as a whole has largely been abandoned.
Are there any 3rd-party products (probably propriertary) which can extend my FreeRADIUS deployment with security compliance checks?
TNC / NAC has largely been abandoned.
I'd like to enforce specific antivirus software for some platforms, password and screen saver policies mostly for BYOD devices.
Does the OS support that enforcement?
a) yes, use OS-specific tools to enforce it
b) no, it's impossible, even if TNC worked.
Alan DeKok.
-- Bogdan Rudas Director of IT Europe Exadel Inc. http://www.exadel.com/ E-mail: brudas@exadel.com Skype ID: bogdan.rudas -- CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. If you are not the intended recipient you are hereby notified that using, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error please notify the sender and delete this email.
Bogdan Rudas wrote:
Since TNC ignored by Microsoft, could are there other solutions to enforce compliant and quarantine violators, agent-based solutions, MDM and so in during network authentication?
There are scores of commercial offerings. All have their plusses and minuses. There are no clear dominant winners in this market. I'm hopeful Aruba ClearPass and its sub-tools will eventually consolidate into something a bit more usable than its current state (they are integrating their separate onboarding and posture modules more fluently into ClearPass but it seems to be taking some time to re-emerge as a well documented and supported feature set.) Android and Microsoft have been less than helpful in bringing their clients and supplicants and provisioning capabilities up to snuff in a way that helps these products do what they want to do. Apple has been a bit better at this, but could still use to do a few things. All the OS and infrastructure companies want to get you married to their own byzantine suite of products that expect you yank up whatever else you are doing and follow some one-size-fits-all network design which may or may not actually fit your business needs, but will most certainly cost you money at some point down the road. On the other hand, the third-party products and those infrastructure products that truly aim to support competitor's equipment have done nearly nothing to integrate onboarding with NAC agent installation, which is especially annoying in a college setting where just by asking students to install a resident agent is already pushing it, and you run the risk of having your students seek an alternative ISP or just camp out on your guest network. Nevermind if the process involves several minutes installing 4 separate packages for all your certs/supplicant settings/more-capable-than-builtin-clients. Sure you can script that yourself, but then you have to maintain that script through OS upgrades... which... well avoiding that is kind of the reason why you pay money to third party NAC vendors in the first place because you could just as well script a NAC agent. I've actually been researching this market for work and I have not seen a single compelling case by any of these vendors that their NAC product won't be a giant time vampire. Currently we are subsisting on the Enterasys/Extreme product which holds together very well as long as we try not to use too many features, but we haven't even gotten to roll out the agents after years of owning the product because some part of it has always managed to break every time we have tried, and the bugfixes take months if not years to arrive. Many in the industry have thrown up their hands at this situation and now walk around spouting nonsense about NAC being old fashioned and the new fancy is doing dynamic policy enforcement based on network scans and reactive firewall events... which of course you should do, but it is no substitute for NAC, and doesn't help you with the onboarding part either. Good luck. If you happen upon a product that looks promising, feel free to let me know. I'll either be grateful, or tell you all the things I know of that are wrong with it.
On Mar 19, 2018, at 2:12 PM, Brian Julin <BJulin@clarku.edu> wrote:
There are scores of commercial offerings. All have their plusses and minuses. There are no clear dominant winners in this market. I'm hopeful Aruba ClearPass
... re-branded FreeRADIUS. From ~15 years ago.
I've actually been researching this market for work and I have not seen a single compelling case by any of these vendors that their NAC product won't be a giant time vampire. Currently we are subsisting on the Enterasys/Extreme product
another rebranded FreeRADIUS. But up to date. :)
Many in the industry have thrown up their hands at this situation and now walk around spouting nonsense about NAC being old fashioned and the new fancy is doing dynamic policy enforcement based on network scans and reactive firewall events... which of course you should do, but it is no substitute for NAC, and doesn't help you with the onboarding part either.
NAC is largely dead. If the end system is up to date, then it's as secure as we can make it. If the system isn't up to date, then it should be brought up to date. Anything more is just too hard. Especially once you start adding iPhones, etc. Alan DeKok.
Alan DeKok <aland@deployingradius.com>:
NAC is largely dead. If the end system is up to date, then it's as secure as we can make it. If the system isn't up to date, then it should be brought up to date.
...which is why the only thing we are really expecting NAC to do is: ensure the system auto-update feature is on, ensure AV is installed and up to date, and ensure the local firewall is on. Given that, we are still using in-house scripts, because unless the NAC agent is ready to roll when the next OSX or Windows release rolls out and unless that NAC agent also helps us install VPN and WiFi profiles, it is more trouble than it is worth. (Well, unless you ask the guy who has to update the in-house scripts, but his perspective is a bit biased :-) That said, not all OS vendors are completely on top of every zero day, so if you have information they have not reacted to yet and can demand a tweak on the client machines to temporarily work around it through the agent, that's a worthwhile capability to aspire to.
Cisco, Aruba..and plenty of other vendors all have commercial offerings in the NAC space. Most have eg dissolvable clients and the like but all of them have weaknesses , either some platforms have little or no support, or they require certain other technology to be adopted too (eg the vendors other appliances for DNS or proxy) and their particular radius server, per client licence or only works with 2 of the common browsers It's all rather a mess alan On Mon, 19 Mar 2018, 14:32 Brian Julin, <BJulin@clarku.edu> wrote:
Alan DeKok <aland@deployingradius.com>:
NAC is largely dead. If the end system is up to date, then it's as secure as we can make it. If the system isn't up to date, then it should be brought up to date.
...which is why the only thing we are really expecting NAC to do is: ensure the system auto-update feature is on, ensure AV is installed and up to date, and ensure the local firewall is on. Given that, we are still using in-house scripts, because unless the NAC agent is ready to roll when the next OSX or Windows release rolls out and unless that NAC agent also helps us install VPN and WiFi profiles, it is more trouble than it is worth. (Well, unless you ask the guy who has to update the in-house scripts, but his perspective is a bit biased :-)
That said, not all OS vendors are completely on top of every zero day, so if you have information they have not reacted to yet and can demand a tweak on the client machines to temporarily work around it through the agent, that's a worthwhile capability to aspire to.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan Buxey -
Alan DeKok -
Bogdan Rudas -
Brian Julin