Educause Security Discussion mailing list archives
Re: 802.1x Question
From: "Dr. Wole Akpose" <wole.akpose () MORGAN EDU>
Date: Tue, 29 Mar 2011 13:56:09 -0400
One: set up an Admin VLAN (Or assume that students can join themselves to Domain) Two: only pr-define admin user permitted to join machines to domain / Admin VLAN permitted to all relevant AD ports. Since a machine can authenticate to AD via Clean Access without being joined to Domain. But once authenticated it acquires appropriate VLAN IP, you can join to domain post authentication. Note : Note all AD ports are necessary for authentication. To increase AD security, deploy RODC in DMZ accessible to Guest (and most users).
From experience, I will also recommend your Guest VLAN have acces to utility
Internet, and not just remediation site. This will save save help desk time. Good luck. W. Akpose. For your managed Windows PC such as lab computers use prepared images. On Mar 29, 2011 12:39 PM, "Sam Walker" <swalker () wvsom edu> wrote:
I wished to obtain some opinions on a particular topic. We are reviewing
new proposals for our network configuration, and came across an issue we have debated internally. To offer some background, our network requirements were to provide a dynamic configuration of both wired and wireless ports. In the past, each port (student or faculty/staff) were static.
One proposal included the following configuration using 802.1x. By
default, all devices would be placed within a guest VLAN. A Cisco ACS server would be configured to authenticate against our local Active Directory database for group membership. So if a faculty user account is used, the machine would be placed within the faculty/staff VLAN. If a student logs in, the device would be placed within the student VLAN. If the device is not successfully authenticated, it would remain within the guest VLAN.
The problem we have determined is the access required by the guest VLAN.
Since it is the default VLAN initially, it would require access to our Active Directory domain controllers to authenticate. If someone would take a new machine and wished to add it to our local Windows domain, it too would need access to the domain controllers. But this appears to be a huge security hole to us, as a machine within the guest VLAN would have direct access to our DC's.
So we wished to query how others were handling 802.1x authentication. One
potential solution would be to have another VLAN as the initial value, and place devices that would not authenticate successfully to the guest VLAN. But we wished to obtain some opinions on this subject before moving forward. Thanks.
Current thread:
- 802.1x Question Sam Walker (Mar 29)
- Re: 802.1x Question Guillaume Germain (Mar 29)
- Re: 802.1x Question Dr. Wole Akpose (Mar 29)
- Re: 802.1x Question Christian Heroux (Mar 29)
- Security projects and web application firewall Youngquist, Jason R. (Mar 30)
- Re: Security projects and web application firewall Daniel Bennett (Mar 30)
- Re: Security projects and web application firewall SCHALIP, MICHAEL (Mar 30)
- Security projects and web application firewall Youngquist, Jason R. (Mar 30)
- Re: 802.1x Question Dexter Caldwell (Mar 30)