Simple security

A.L.M.Buxey at A.L.M.Buxey at
Thu Feb 15 15:59:41 CET 2007

> Thanks Jeremy.
> I've been doing various searches for practical examples of 802.1x in a LAN setting and haven't found anything yet.  Have you?

it all depends on what kit you've got, both in the network space and in the server architecture.

eg with decent Cisco or HP switches you can simply enable dot1X on each switch interface and
configure the switch to RADIUS authenticate eg against FreeRADIUS.  you would need to install
EAP-TLS certs on each machine - or configure PEAP etc v's an AD for auth. thats hardly 'seamless'
but no network access control is seamless to users in reality.

alternatively. how 'secure' does this have to be? you could, eg use MAC address authentication.
eg use dot1x with MAC auth...and then also do the same for DHCP. going this was you could use VMPS
on the CISCO kit - unregistered machine live on their own VLAN devoid of anything - execpt
maybe an authentication gateway to register their systems.

or, as a final option, default VLAN on the switch gives people only a captive portal. once
they have registered (or if they are already known - via MAC) a quick SNMP of their switch
port sets their vlan to the correct working one. this can be acheived with home-brew code
OR via solutions such as campus manager.

balance up the security requirements v's the cost and implementation timeframe.  for a small
setup, EAP-TLS certs with real dot1x would be my personal way to go.  you've just then
got the headache of those network devices that dont do dot1X  - eg network printers/scanners,
voip handsets etc - for those you'd have to secure the network socket and cabling :-|


More information about the Freeradius-Users mailing list