Re: strategy question
Stefan Winter stefan.win...@restena.lu wrote: Makes sense to me. Will you be using MAC Auth Bypass for printers and other dumb devices? Commenting on dumb printers... there's been some nice work even on that area. If you're lucky enough to have HP printers, the NICs can meanwhile do 802.1X just fine. Even the JetDirect 620n (which I understand is the entry-level thing) does PEAP: http://h10010.www1.hp.com/wwpc/us/en/sm/WF06b/18972-18972-236253-34213-236264-378355-378357-1838265.html And if you throw in another 80 USD, you'll even get ... insert drum roll ... IPv6! http://h10010.www1.hp.com/wwpc/us/en/sm/WF06b/18972-18972-236253-34213-236264-500078-500091-1838264.html ...but yet multi ten-thousand euro/pound/dollar buildings and estates equipment buys you neither :-/ Fortunately vrf-lite goes a long way to heal those sores. Cheers -- Alexander Clouter .sigmonster says: The Fifth Rule: You have taken yourself too seriously. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
strategy question
In a project with some larger customer sites 802.1x authentication shall be introduced. There are about 10 sites with roughly 500 employees each. It is expected that at least 5 to 10% of the pc may cause problems when 802.1x authentication is activated. To identify those pc in advance the idea is, to have the switches ask the freeradius server for authentication. For two weeks or so the radius shall accept all the requests, even if they fail because of invalid certificates. The failure shall be reported. During this time the operating staff may solve the problems with the pc. After that period the problems are hopefully solved and the radius shall do real authentication. Is this a idea that makes sense? Are there technical restictions that would avoid such an approach -lh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: strategy question
Makes sense to me. Will you be using MAC Auth Bypass for printers and other dumb devices? -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of localh...@mac.hush.com Sent: Monday, February 07, 2011 1:08 PM To: freeradius-users@lists.freeradius.org Subject: strategy question In a project with some larger customer sites 802.1x authentication shall be introduced. There are about 10 sites with roughly 500 employees each. It is expected that at least 5 to 10% of the pc may cause problems when 802.1x authentication is activated. To identify those pc in advance the idea is, to have the switches ask the freeradius server for authentication. For two weeks or so the radius shall accept all the requests, even if they fail because of invalid certificates. The failure shall be reported. During this time the operating staff may solve the problems with the pc. After that period the problems are hopefully solved and the radius shall do real authentication. Is this a idea that makes sense? Are there technical restictions that would avoid such an approach -lh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strategy question
Hi, In a project with some larger customer sites 802.1x authentication shall be introduced. There are about 10 sites with roughly 500 employees each. It is expected that at least 5 to 10% of the pc may cause problems when 802.1x authentication is activated. To identify those pc in advance the idea is, to have the switches ask the freeradius server for authentication. For two weeks or so the radius shall accept all the requests, even if they fail because of invalid certificates. The failure shall be reported. During this time the operating staff may solve the problems with the pc. After that period the problems are hopefully solved and the radius shall do real authentication. Is this a idea that makes sense? Are there technical restictions that would avoid such an approach it seems a fairly sensible approach to migration into an 802.1X world - I guess your guest/failed VLAN will be just the same as the normal VLAN that real clients will go onto? (we were one of the sites to ask cisco to reverse their decision that a failed VLAN - ie where 802.1X was attempted but failed - should be an operative VLAN rather than marked as some for of malicious attack). how are you going to go about configuring the PCs - GPO can be used to push out the setting if they are corporate/in ActiveDirectory alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: strategy question
On Mon, 07 Feb 2011 20:44:37 +0100 Gary Gatten ggat...@waddell.com wrote: Makes sense to me. Will you be using MAC Auth Bypass for printers and other dumb devices? Yes. -lh -Original Message- From: freeradius-users- bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users- bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of localh...@mac.hush.com Sent: Monday, February 07, 2011 1:08 PM To: freeradius-users@lists.freeradius.org Subject: strategy question In a project with some larger customer sites 802.1x authentication shall be introduced. There are about 10 sites with roughly 500 employees each. It is expected that at least 5 to 10% of the pc may cause problems when 802.1x authentication is activated. To identify those pc in advance the idea is, to have the switches ask the freeradius server for authentication. For two weeks or so the radius shall accept all the requests, even if they fail because of invalid certificates. The failure shall be reported. During this time the operating staff may solve the problems with the pc. After that period the problems are hopefully solved and the radius shall do real authentication. Is this a idea that makes sense? Are there technical restictions that would avoid such an approach -lh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strategy question
I think there will be Group Policies in place. -lh On Mon, 07 Feb 2011 20:48:08 +0100 Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, In a project with some larger customer sites 802.1x authentication shall be introduced. There are about 10 sites with roughly 500 employees each. It is expected that at least 5 to 10% of the pc may cause problems when 802.1x authentication is activated. To identify those pc in advance the idea is, to have the switches ask the freeradius server for authentication. For two weeks or so the radius shall accept all the requests, even if they fail because of invalid certificates. The failure shall be reported. During this time the operating staff may solve the problems with the pc. After that period the problems are hopefully solved and the radius shall do real authentication. Is this a idea that makes sense? Are there technical restictions that would avoid such an approach it seems a fairly sensible approach to migration into an 802.1X world - I guess your guest/failed VLAN will be just the same as the normal VLAN that real clients will go onto? (we were one of the sites to ask cisco to reverse their decision that a failed VLAN - ie where 802.1X was attempted but failed - should be an operative VLAN rather than marked as some for of malicious attack). how are you going to go about configuring the PCs - GPO can be used to push out the setting if they are corporate/in ActiveDirectory alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strategy question
Hi, Makes sense to me. Will you be using MAC Auth Bypass for printers and other dumb devices? Commenting on dumb printers... there's been some nice work even on that area. If you're lucky enough to have HP printers, the NICs can meanwhile do 802.1X just fine. Even the JetDirect 620n (which I understand is the entry-level thing) does PEAP: http://h10010.www1.hp.com/wwpc/us/en/sm/WF06b/18972-18972-236253-34213-236264-378355-378357-1838265.html And if you throw in another 80 USD, you'll even get ... insert drum roll ... IPv6! http://h10010.www1.hp.com/wwpc/us/en/sm/WF06b/18972-18972-236253-34213-236264-500078-500091-1838264.html Stefan -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of localh...@mac.hush.com Sent: Monday, February 07, 2011 1:08 PM To: freeradius-users@lists.freeradius.org Subject: strategy question In a project with some larger customer sites 802.1x authentication shall be introduced. There are about 10 sites with roughly 500 employees each. It is expected that at least 5 to 10% of the pc may cause problems when 802.1x authentication is activated. To identify those pc in advance the idea is, to have the switches ask the freeradius server for authentication. For two weeks or so the radius shall accept all the requests, even if they fail because of invalid certificates. The failure shall be reported. During this time the operating staff may solve the problems with the pc. After that period the problems are hopefully solved and the radius shall do real authentication. Is this a idea that makes sense? Are there technical restictions that would avoid such an approach -lh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
