03-22-2013 08:06 AM
There's been a lot of talk recently from legal people about the best way to identify a user doing something they aren't supposed to be doing. A lot of this stems from the fact that lawyers and judges believe that an IP address is a unique thing that ties a user to something they did online. Most IT pros know that with NAT and RFC 1918 addresses an IP address could be one of a number of systems. While IPv6 will address this with globally routable IP addresses for every user, we still have to accommodate the users that are stuck on IPv4 for the foreseeable future.
Should we start using identification systems like those found in ClearPass to help us better identify the user base when something goes wrong? If we get a takedown notice or some other document instructing us to find out who was downloading something they weren't supposed to or hacking into a sensitive area, should we use all those methods at our disposal to take care of the problem? I think implementing user identification could be a big pile of work up front but would allow more granularity of control on the back end when it comes to figuring out who should be answering for the subpoena sitting in the legal counsel's office.
What do you think?
03-25-2013 07:42 AM
We can already identify bad users without clearpass and little upfront work. By implementing 802.1x you can have a nice log of who is doing what, and this information is represented quite well in the aruba UI. Not to mention radius logs, etc... So not only do you gain the ability to add more granular controls, you can also have much better insite into your network.
It still shocks me how few places utilize 802.1x, if only for the visibility aspect it is huge!
03-25-2013 07:50 AM
I agree that 802.1x is probably the ID solution that we need. The problem is that most 802.1x implementations in the past have required a huge investment of time and planning to get them working. Even then, they are far from automated or bulletproof. Most of the advances that newer ID software like ClearPass (and others) have given us is a friendly face for 802.1x configuration. You just have to pay for the privilege.
I think your idea has a lot of merit. I just have to figure out how to do it consistently across my customer base.
03-25-2013 07:59 AM
I have a hard time understanding the issues people have implementing 802.1x. In my experience working with edu sites, I often see primarily PC sites with 802.1x and primary mac sites with PSK. I have to wonder if part of this is the ease to extend active directory with radius using NPS, and the mac server platform really has no "easy" options.
Another thing I see a lot is people will say they need client certs, etc with radius - then realize without a good way to deploy said certs deployment is VERY complicated (IE mix mac/pc environment) then they will simply fall back to PSK and never look back because their "pilot" failed... BUT in most cases TLS is not needed as they simply want more visibility on their sites, and the ability to lock down access (disable access) from one location, your authentication directory (Ldap, Open Ldap, Active directory).
I am not sure the best way to solve this issue - except maybe we need to teach people that when something does not work, it does not mean you failed, unless you have failed to learn anything about what happened.