Hi, > We are rolling dot1x out in our halls of residence over the next few months. > The switches we are using don't really play nicely with MAB (Cisco 2950). I > currently have a call on hold with the PF guys, which I'm going to open up > again once I have my live servers in, but I think the idea is to have an > inline vlan deciding whether the device is a games console or a > non-configured supplicant, and push it down to either a consoles vlan, or to > the registration vlan depending. I'm not actually sure how they are planning > to implement this though. This would probably be the guest-vlan feature (guest-vlan would be inline). Some switches (like 2950s) doesn't support MAB, so we are thinking using the guest vlan for that.
Nonetheless, if you have the possibility to do MAB along with 802.1X, it's clearly the way to go for your gaming devices... and printers, and all other network stuff that is not doing 802.1X. Or contact Microsoft/Sony in order to have them implement EAP-MD5 for their XBox/PS3 ;) (this will never happen I guess :P) Thanks! > > Cheers, > Andi > > -----Original Message----- > From: Mark Holmes [mailto:[email protected]] > Sent: 25 April 2012 08:45 > To: [email protected] > Subject: Re: [Packetfence-users] gaming consoles and 802.1x auth > > Jake, > > I think MAC auth bypass (MAB) is the answer here - assuming your switches > support it. It's designed for the case you outline, ie clients with no > supplicant. > > Yes, it's possible to spoof addresses etc - but in reality, people just won't > know how to do it or be bothered. That's my experience anyway. > > Most switches can be configured to fall back to MAB if the client has no > 8012x supplicant, so assuming you are making everybody do 'normal' 8012x with > a username and password, you'd probably want do that (I assume PF supports a > mixture of both methods?) . > > Personally, we just use MAB throughout as it's much simpler for the end user > and I'm not a fan of security at the cost of making things overly complex for > users - there should be a balance. > > Note:-one disadvantage I've found when using MAB is you can only have one > device connected per port - at least, that's the case with HP/3Com gear as > far as I can work out. > > Hope that helps, > > Mark > > > > -----Original Message----- > From: Sallee, Stephen (Jake) [mailto:[email protected]] > Sent: 25 April 2012 04:24 > To: [email protected] > Subject: [Packetfence-users] gaming consoles and 802.1x auth > > We are about to roll out 802.1x auth on our wireless network, and more > importantly possibly on our wired network as well. > > > > For those using 802.1x authentication how do you handle gaming consoles? It > seems that ALL of the console makers have left out support for 802.1x (an > idiotic move, IMHO). The only thing we have come up with so far is to > somehow whitelist the MAC of the device but that is HORRIBLE from a security > standpoint since it is so easy to spoof a MAC. > > > > I would greatly appreciate any feedback / thoughts. > > > > Jake Sallee > > Godfather of Bandwidth > > System Engineer > > University of Mary Hardin-Baylor > > 900 College St. > > Belton TX. 76513 > > Fone: 254-295-4658 > > Phax: 254-295-4221 > > > > > Nuffield College is a Registered Charity No. 1137506. Registered Office: > Nuffield College, New Road, Oxford, OX1 1NF > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and threat > landscape has changed and how IT managers can respond. Discussions will > include endpoint security, mobile security and the latest in malware threats. > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ________________________________ > > From 1st November 2011 UWIC changed its title to Cardiff Metropolitan > University. From the 6th December 2011, as part of this change, all email > addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All > emails sent from Cardiff Metropolitan University will now be sent from the > new @cardiffmet.ac.uk address. Please could you ensure that all of your > contact records and databases are updated to reflect this change. Further > information can be found on the website > here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> > > Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan > Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost > sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a > ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad > @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich > cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o > wybodaeth ar y wefan > yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
