I need some help getting started with port security (EAP)

[Brazen]

I want to implement port security so people can not bring in home laptops and plug them into our network and other such things. My first question is, how will this work for devices such as printers?

We mostly have HP and Sharp network printers, will they work with a type of EAP? There are a bunch of different types of EAP such as EAP-TLS and PEAP but I would like to know if there is any certain one that works well with linux machines, windows machines, and network printers?

 

[jlazzaro]

wanting and needing to implement this type of solution are 2 different things. i can tell you from experience implementing network-wide port-based 802.1x authentication isnt a turn and go solution. you need to take A LOT of things into consideration. 802.1x isnt an end-to-end solution, so if your goal here is to prevent rogue machines from infecting other machines, think again. manageability is also of concern, though you didnt say on what scale this would be implemented. do all your l2 switches support 802.1x? do you have a need for pxe booting?

as for the printers, you have 3 options. first, and most obvious is to get 802.1x compliant printers. if that isnt an option, consider locking the port down with a static mac filter. or, you could implement private vlans for all the printers locking down everything but maybe one port.

unless you're running some sort of PKI infrastructure, I doubt youll be using TLS. Most likely you would do PEAP with AD username / passwords.

as a side note, I have never implemented 802.1x port security due to all of its downfalls. it's great for wireless, but falls very, very short for a wired solution. for you, I would look more towards a solution like MetaIP. customers who truly want end-to-end security (ahem DoD) dont cut corners. They usually end up with a fully integrated NAC solution...

 

[Brazen]

Originally posted by: jlazzaro
wanting and needing to implement this type of solution are 2 different things. i can tell you from experience implementing network-wide port-based 802.1x authentication isnt a turn and go solution. you need to take A LOT of things into consideration. 802.1x isnt an end-to-end solution, so if your goal here is to prevent rogue machines from infecting other machines, think again. manageability is also of concern, though you didnt say on what scale this would be implemented. do all your l2 switches support 802.1x? do you have a need for pxe booting?

as for the printers, you have 3 options. first, and most obvious is to get 802.1x compliant printers. if that isnt an option, consider locking the port down with a static mac filter. or, you could implement private vlans for all the printers locking down everything but maybe one port.

unless you're running some sort of PKI infrastructure, I doubt youll be using TLS. Most likely you would do PEAP with AD username / passwords.

as a side note, I have never implemented 802.1x port security due to all of its downfalls. it's great for wireless, but falls very, very short for a wired solution. for you, I would look more towards a solution like MetaIP. customers who truly want end-to-end security (ahem DoD) dont cut corners. They usually end up with a fully integrated NAC solution...

That MetaIP stuff just looks like a DNS/DHCP appliance from reading on their website. How is that better than port security? Getting around a lack of DNS or DHCP would be trivial for someone bringing in an unauthorized laptop.

 

[nightowl]

Well, I can tell you from experience that it is not an easy task to undertake. There are a couple ways you can go for your printers. First, I do not know of any print (servers) that do have a dot1x supplicant. Now, as for how to address printers or any other device that does not have a dot1x supplicant you can do either port security or mac authentication (mac address is the dot1x credentials). There are solutions for PXE boot as well (depends on your switch infrastructure) that do not break dot1x. As, a general rule, you will need the following, supplicant on each end device or some other method to authenticate it, RADIUS server, user database, and a supporting switch infrastructure.

Also, be prepared for problems with the XP supplicant. There are issues with trying to log onto AD and pre-logon scripts when you do user authentication. Also, you have to tweak registry values as well to achieve an acceptable logon time.

 

[Brazen]

what is this dot1x supplicant for? I thought I've read PEAP and EAP-TLS were already supported by Windows so no additional software would be needed. Is this supplicant for using something besides PEAP or EAP-TLS? And does nobody have thoughts on what EAP type to use?

 

[jlazzaro]

PEAP and TLS are supported by Windows, but their supplicant is lacking. same with WZC...it supports wireless networks, but it falls short.

if you cant figure out what EAP type to use in your infrastructure, how do you plan on fully implementing this type of solution?

Originally posted by: jlazzaro
unless you're running some sort of PKI infrastructure, I doubt youll be using TLS. Most likely you would do PEAP with AD username / passwords.

TLS is probobly overkill for your scenario, and would require a lot more intervention on the client side. Have you read up on both methods?

 

[nightowl]

A supplicant is what responds to the EAP requests from the switch. XP has a built in supplicant that supports PEAP and EAP-TLS as jlazzaro stated. I have worked through a deployment of 1000's of switch ports doing EAP-TLS already using the XP supplicant and it worked well in the end, but the journey there was not without some pain.