Security

Chaps,

 

If I enforce machine authentication, the does mean I make sure this part of DOT1X is honored before user authentication right?

 

I ask this as it works great for Windows, but when I boot up into Linux, I disable cert check and use domain user id and password I get straight in.

 

I don't have a proper PKI yet - but will do so soon (big job), in the meantime - anyone used device fingerprinting to Identify a non windows machine and stop it from using PEAP-MSCHAPv2?

 

Thing is, the real troublemakers are going to be running linux I would think (esp. backtrack)

 

Also the auth type is "8021x-User" and not "802.1x" - anyway of taking advantage of this categorization?

 

 

Thanks a mill

You can definitely take advantage of the "enforce machine auth" knob.  If a client tries to use his or her credentials WITHOUT first passing machine authentication (which would happen on Linux, Android, non-domain joined Windows machines, MacOS (assuming you haven't joined it to the domain), etc.) the client will be placed into the "machine authentication: default user role" under the dot1x profile.  If the client passes machine authentication, it will be placed in the "machine authentication: default machine role".  The clients that don't do machine authentication COULD be placed into a guest role.  Clients that pass machine auth and are waiting for user auth COULD be placed into a role that only lets them talk to the domain controllers and other necessary servers.

 

The only issue you might encounter is the cache timeout.  When a client successfully machine auth's, the controller caches that MAC address for the configured time.  If the client doesn't perform a machine auth (which Windows only does on login and logout) during the cache timer, the controller deletes that MAC address.  If the client then tries to reauthenticate (without a login/logout), they will be placed into the "machine authentication: default user role" (since no machine auth was cached).   This can cause issues for valid users that come out of hibernate or sleep mode, undock from a wired connection, or turn their WLAN NIC on AFTER login.

O,

Great explanation. Given this is my first install of a measly 2000 users, I am going to side on the security. As for wake up and switching off, well, I guess a "please ask user to reboot" will sort that out. Which is what our HelpDesk say anyway.

What's your view on cache timeout length?

The cache time out is 24 hours by default.  That, to me, is too short.  BUT, you have to weigh the security risk against the users frustration.

 

I think the timeout should be 3-4 days.  That way, a long weekend wont cause the cache to expire (assuming people reboot every day).  There is a way to do this with "netsh" commands (for the machine to reauth), but I am not much of a server or client expert, so I can't help with that (but I know it can be done).

Sure, my call etc. good to hear views, always, and thanks a million. your argument seems sound to me and I'll make the call on how that suits my implementation. I can see the argument from both sides cheers