802.1X, you deployed with Certs, or used individual user accounts?

bnidacoc · ‎05-18-2007

I'm looking at 802.1X to improve our internal network's security posture to prevent unauthorized access by non-authorized users. The solution I am looking at is 802.1X only, not any vender's NAC solution which rides upon 802.1X, but 802.1X solely. We currently have no plans nor budget for Cisco's NAC appliance, Clean Access, CSA, or any other type of similar program. Out systems are XP or Vista, our JetDirect's purchased over the years have 802.1X capability per HP's specs. I have about 3,500 desktops.

I had initially considered having the switches query a radius server (like ACS for example)which would in turn query the Windows AD for account authentication. This would prevent those without an account access to the network via a switchport.

I've been looking at some of the ways to perform this and it looks like some people say the best way (for security's sake) to actually utilize a certificate authority (internal CA) to authenticate user access in lieu of the username and password. Keep in mind, our current AD password policy requires a username's password change every 60 days, 8 chars or more, requiring uppercase, lowercase, and a number in that password. This is much stronger than it used to be.

So, I'm on the fence here and I am in the early stages of exploration. Can some of you tell me what you chose to do and why?

Much thanks.

acomiskey · ‎05-18-2007

Have you considered the Cisco Trust Agent? This is a free download and includes a wired 802.1x supplicant. Just thought I would throw that out there if you weren't aware of it.

Funny you mention the AD password policy. I actually used 802.1x with a feature available in some cisco switches, mac authentication bypass, which passes the client mac address as a username and password for authentication. It is completely transparent to the end user and worked great. Unfortunately I could not get around the AD password policy, as the username/passwords passed from the clients would never change.

bnidacoc · ‎09-04-2007

I have just gotten back onto this project (to many to actually complete most).

I noticed that the CTA is not really free. Sure, I can download it and download just about everything else. License to use the software without purchasing a LTU might not be within the rules.

I guess I'll have to pursue this task with something else.

jms112080 · ‎05-24-2007

We chose to use our internal CA, machine certs for 802.1x. Has been working perfectly for months now, with XP Pro, Microsoft IAS, and 802.1x on the cisco switches. Requires a registry change to get the machine to send its cert, rather than trying to send a user cert.

srue · ‎05-24-2007

what's the registry change? or do you have a link to something explaining it?

TIA

jms112080 · ‎05-24-2007

http://www.microsoft.com/downloads/details.aspx?familyid=05951071-6B20-4CEF-9939-47C397FFD3DD&displaylang=en

Download that doc, the registry change is on page 38.

jafrazie · ‎05-24-2007

Woud you be willing to reference any highlights of your implementation for others to learn from?

rolandshum · ‎09-05-2007

I'm in the middle of a deployment of .1X authentication for the exact same reasons you are.

I'm assuming you are using Catalyst switches, just make sure you're using a good version of the IOS, I have 4507's in my IDF's and use 12.2(37)SG. Prior to this I had some very weird problems, inconsistent authentication.

I didn't use certs, I use the XP supplicant and use the hardware machine name to authenticate with AD + MAC address authentication. I had to go this route because my user base would just allow a guest machine to log in with their AD creditials.

Unfortunately it's a head-ache to trouble shoot. My desktop team uses a handheld tester from Fluke and I have to reset the MAC table everytime they need to test.