We are rolling dot1x out in our halls of residence over the next few months. The switches we are using don't really play nicely with MAB (Cisco 2950). I currently have a call on hold with the PF guys, which I'm going to open up again once I have my live servers in, but I think the idea is to have an inline vlan deciding whether the device is a games console or a non-configured supplicant, and push it down to either a consoles vlan, or to the registration vlan depending. I'm not actually sure how they are planning to implement this though.
Cheers, Andi -----Original Message----- From: Mark Holmes [mailto:[email protected]] Sent: 25 April 2012 08:45 To: [email protected] Subject: Re: [Packetfence-users] gaming consoles and 802.1x auth Jake, I think MAC auth bypass (MAB) is the answer here - assuming your switches support it. It's designed for the case you outline, ie clients with no supplicant. Yes, it's possible to spoof addresses etc - but in reality, people just won't know how to do it or be bothered. That's my experience anyway. Most switches can be configured to fall back to MAB if the client has no 8012x supplicant, so assuming you are making everybody do 'normal' 8012x with a username and password, you'd probably want do that (I assume PF supports a mixture of both methods?) . Personally, we just use MAB throughout as it's much simpler for the end user and I'm not a fan of security at the cost of making things overly complex for users - there should be a balance. Note:-one disadvantage I've found when using MAB is you can only have one device connected per port - at least, that's the case with HP/3Com gear as far as I can work out. Hope that helps, Mark -----Original Message----- From: Sallee, Stephen (Jake) [mailto:[email protected]] Sent: 25 April 2012 04:24 To: [email protected] Subject: [Packetfence-users] gaming consoles and 802.1x auth We are about to roll out 802.1x auth on our wireless network, and more importantly possibly on our wired network as well. For those using 802.1x authentication how do you handle gaming consoles? It seems that ALL of the console makers have left out support for 802.1x (an idiotic move, IMHO). The only thing we have come up with so far is to somehow whitelist the MAC of the device but that is HORRIBLE from a security standpoint since it is so easy to spoof a MAC. I would greatly appreciate any feedback / thoughts. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton TX. 76513 Fone: 254-295-4658 Phax: 254-295-4221 Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ________________________________ From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
