Friday Apr 18
Nov
19/09
JJ- Back in the lab: 802.1X and more
Updated on Saturday, 28 January 2012 06:41
Share

Hi everyone! I know I’ve been missing in action yet again, so I thought I’d give you all a quick update. I’ve been on site quite a bit recently, working on various customer projects and security implementations.

I’m spending time in the coming weeks in the lab here; mostly working on access control, port security, 802.1X and possibly even some NAC/NAP proof of concepts.

To those of you who have posted comments or emailed questions to me; I promise I’m getting to them! I’ve received quite a few inquiries on various 802.1X topics; implementations, functions and the new standards coming out. Stay tuned for more on the new 802.1X-REV, including my SecTor recap (YES, I know I’m behind schedule).

In the meantime, if you have specific questions about 802.1X or port security in general, please let me know. I have a few fun things I’m going to play with in the lab, including 3rd party and TNC framework integrations, as well as some NAP concepts. I’ll be glad to use any spare time available to test configurations and theories and get back to you!

FYI. My current lab configuration uses Windows-based endpoints and servers. I have FreeRADIUS and Funk available as well, but most current play time will be conducted on Windows, including Windows XP SP3, Windows 7, Windows 2008, Windows 2008 R2.

# # #

Tags: , , ,

4 Comments
  1. CommentsChad West   |  Sunday, 22 November 2009 at 8:16 pm

    JJ,

    I’m currently implementing an 802.1x Wired network policy. We are doing it in a Windows 2003 domain, w/o any 2K8 DC’s . It is very challenging but it going pretty smoothly!!!

    Chad W

  2. CommentsMario Laniel   |  Thursday, 03 December 2009 at 3:22 pm

    JJ,

    I’m currently working on implementing an 802.1x Wired network policy (Wireless to be added soon), I to am running with Windows 2003 DC and using 2K8 as the CA and Radius (Network policy server). It is like Chad is stating above, very challenging and I would like to pick your brain a bit. Here are my issues: I’m using user certificates and all that works great but a lot of my users will use VPN clients to connect to the network and then remote desktop to there XP machine and since terminal services on XP uses machine auth and not user auth the authentication is broken and the port on the switch closes. The other issue is for computers support, if one admin tries to login to a workstation and on the domain they just can’t as no admin certificate exist on the machine. Do you think there are ways to solve these?

    P.S. Great job you’re doing, I just finished reading your white paper: Catching the Unicorn. Superb…You really tell it like it and that’s what I want to hear. Thank you so much.

    Regards,

  3. Commentsjj   |  Thursday, 03 December 2009 at 4:05 pm

    Chad,
    I actually really liked Windows 2003 IAS a lot. The detail of accounting readily available was great. In fact, I’ve had days of setback trying to get what I need from logging in 2008 NPS (renamed from IAS).

    -jj

  4. Commentsjj   |  Thursday, 03 December 2009 at 4:10 pm

    Mario,
    Interesting challenge. If they were accessing the network with an SSL-VPN that gave them network-level access, it would be less complicated. To remote in via VPN to a remote desktop session will be different for sure. I’ll have to get a little more information about the connections.

    Certainly interesting scenario! I’ll have to check into the domain admin rights with user certificates. Typically when we deal with certs, it’s at a customer who already has that infrastructure in place and I never have to mess with that part of it. I’m still learning my way around directory services and domain admin rights.

    Thanks for the feedback on the whitepaper; I’m glad you liked it!

    -jj


Leave a Reply