We have a similar environment. We opted for MAB (MAC Authentication Bypass) on the wire instead of 802.1x because Microsoft's implementation of 802.1x is what can only be described as, purposefully obtuse.
802.1x is a fantastic technology and once you get it setup it works very well. However, the management is a nightmare wrapped in terror sent CoD courtesy of Redmond. There are several 3rd party vendors that offer suites to make the roll out and management of 802.1x on windows easier but they are not free and you get what you pay for. MAB works very well and will do everything 802.1x does sans the encryption. Best part? It requires no changes to the clients, MAB is configured on the switch and the client is blissfully ignorant. Wireless is another story, we use MAB there too. But since wireless is a shared medium it is significantly easier to attempt to spoof a MAC and gain access to the network. Just make sure you have some counter measures in place to mitigate known attack vectors. Jake Sallee Godfather of Bandwidth Network Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Damian Mendoza [[email protected]] Sent: Tuesday, April 30, 2013 10:42 AM To: [email protected] Subject: [PacketFence-users] recommendations/ideas for Packetfence large workstation school board Hi, Looking at installing Packetfence at a school district with 8,000 wired workstations and 2,000 wireless devices across 26 schools. The goal is to lock down the network so switch ports are not open for network access unless approved by a on-site technician and wireless connections are more secure than just using a basic SSID. Dynamic VLAN assignment would be a plus for guest access. Switches are all fairly Current Cisco models that support 802.1x Does it make sense to use 802.1x on all wired devices? 90% of workstations are Windows XP. If we went with link up/link down would we be looking at performance issues on a single PF server? Would Multiple PF servers be recommended? Configuring 802.1x on 8,000 workstation would take some time since we would have to push out scripts to enable it and configure it properly. Wired guest workstations would also have to be configured with 802.1x which might not be possible. Any recommendations? Thanks, -- Damian Mendoza [email protected]<mailto:[email protected]> ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
