Thursday Nov 23
Aug
19/08
Alan, Tim & 802.1X- 6 Reasons Why You’re Wrong
Updated on Saturday, 28 January 2012 06:48
Share

I luv you’z guys and I usually agree with both of you on all matters NAC-ish and 1X-ish, but I have to disagree with today’s flurry of 802.1X-adoption talk.

What exactly am I yapping about? Well, today Tim at Network World posted a nice article on the growing adoption of 802.1X. Shortly after, Alan jumped in with his post on ‘Is 802.1X in Your Future?’. You can see my notes below, and I definitely recommend reading the original articles.

  • Eins: Easier implementations

I certainly don’t think 802.1X is getting easier to implement. The problem with rolling out 802.1X successfully, is that it requires in depth knowledge of a) your current network, including all VLANs, routing and physical connections b) your planned network, and yes there is a migration period just like any other upgrade c) authentication, secure communication and/or certs and d) all things layer 2 and 3. With 1X, you’re segmenting, authenticating, routing and securing. If you don’t understand each and all pieces, then *fail 1X.

To make matters worse, most vendors don’t have a solution for ‘good’ central management of heterogeneous switch environments, making 802.1X still a very manual process, even if you understand the concepts. I don’t see this getting easier- it’s just becoming better-understood, which is all we can ask for at the moment.

  • Zwei: 50% adoption of 802.1X

Asking a crowd of people if they plan to implement 802.1X by XX year is like asking a room of 6-year-olds “who’s wants to be a firefighter when you grow up?” They (most likely) have no concept of what’s involved with 802.1X, or the trials and tribulations associated with client and authentication configurations. Sure, it sounds good… but… really? After a half-day training, if you asked the same group, I wonder how many hands would go up.

  • Drei: No supplicant needed

I have to disagree with the notion that Cisco and Juniper just want to ‘sell more supplicants’. I mean, of course they do- but if the OS-integrated supplicants covered our needs, neither company would have invested ginormous amounts of money in their Meetinghouse and Funk acquisitions.

The truth is, many (or even most) organizations today do not need 3rd party supplicants, but they sure make life a lot easier, especially in the cases of multi-user profiles, multi-location profiles and environments where a shim is needed (such as the GINA shim for Novell clients). If you’re all Microsoft, you’ll get little benefit from a 3rd party supplicant- which is one of the reasons Tim and Joel have hit the nail on the head when they say Microsoft is ‘leading in NAC’… yes, because they make it easy and it works.

  • Vier: Variance of switch vendor support

Okay Alan, I’m agreed here ~sorta. Switch vendors vary drastically in their support of 802.1X-ish-features. But, the real difference is not in the implementation of the standard-specified 802.1X functions. The differences come in the ‘off-RFC’ features, such as mixed authentication, null VLAN returns and MAC-auth. These items are not specified as part of the true 802.1X specs and RFCs, so vendors are left to ‘do as they please’ with these features. Because of that, you’ll see huge variances from vendor-to-vendor and even firmware-to-firmware. I know this because I’ve personally taken packet captures and reviewed them along with configurations in vendor labs with their dev teams. You’ll be hearing more about off-standard functions from me soon. This area of 802.1X demands a lot of attention and patience.

  • Fünf: Switch upgrade required

Tim, I do want to point out that 802.1X has been around since about 2001 and has been supported in switches for several years. I have done a variety of 1X implementations, even on old crappy switches and wireless access points and they support 802.1X. In fact, I can’t say I’ve hit a customer that had to buy new switches for 1X. I have some Cisco users that need to upgrade firmware to take advantage of the newer 1X, Mac-Auth and Web-Auth support, but that’s the most extreme case so far. 

  • Sechs: The REV is a’comin’

All these numbers, predictions and speculation will be tossed to the wind once the new 802.1X-REV is released. Its configuration and implementation will be so different from the 802.1X we know today that customers will have to re-learn the technology before making any decisions. The REV is expected out in early 2009. The good news may be that the new REV offers so many fun new features that the 802.1X adoption rates may actually be even higher with the new version. But for now, adoption statistics of current 1X into 2011 is really a moot point… it won’t be around.

So I have to disagree on a few points, but overall I agree (and I hope) 802.1X-adoption will continue to rise. If not, I need to start looking into other things… like reading up on my IDS management.. (oh wait- IDS is dead– nvm)

Don’t ask me why I went with German numbers today… there’s just not a good answer. Hopfully they’re all spelled correctly and I didn’t curse a goat or anything strange.

;)

# # #