This is more for evolution. The ability to identify an unmanaged device and the user connected allows us to direct what they are able to do.
The power given to our security group for enabling them to ensure only authenticated clients are able to reach internal resources, as well as the ability to mitigate hosts more easily is why we have been pursuing NAC on the wire. Sadly I can’t answer to questions 3-5 since we aren’t far enough down the road. I am curious to see responses. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Lee H Badman Sent: Monday, April 13, 2020 2:51 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [EXT] [WIRELESS-LAN] NAC/authentication implementations **** EXTERNAL EMAIL **** Where wired 802.1X is a goal, have you seen real-world security issues happen in your environments that this will solve, or is the target one of evolution and prevention? Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu SYRACUSE UNIVERSITY syr.edu From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of McClintic, Thomas Sent: Monday, April 13, 2020 3:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] [EXT] [WIRELESS-LAN] NAC/authentication implementations We are currently in the beginning of implementing NAC on the wire. We are using a phased approach to ease clients into it. Phase 1a) Introduce open MAC authentication to all ports, this helps verify connectivity and licensing. Phase 1b) Rollout certificate enrollment via AD and JAMF for EAP-TLS usage Phase 2a) Enable EAP-TLS authentication along with open MAC and registered MACs, enable AD and JAMF computers for wired authentication Phase 2b) Captive portal for open MAC authentication that enables users to enroll for certificate (using CPPM Onboarding) Phase 3) Begin enforcing EAP-TLS or restricted MAC authentication (to authenticate non-EAL-TLS devices), no authentication leaves you in a captive-portal, bypass this portal and you are restricted to an internet only segmented network We are currently on phase 2a, but are still working on the design and implementation. We are going very slow to minimize impact to users while trying to increase our security of restricting open port access. The ultimate goal will be to know who or what is on each port and enable our security group to dictate the policies. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Johnston, Ryan Sent: Monday, April 13, 2020 2:28 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] [EXT] [WIRELESS-LAN] NAC/authentication implementations **** EXTERNAL EMAIL **** 1. If you have a NAC solution do you do port based auth? * Yes. We use Clearpass to implement. 2. If you have a NAC solution do you do eap-tls? If so how are you handling the certification “push” to devices? * Yes our primary preferred authentication protocol is EAP-TLS, however we do offer and support EAP-PEAP and PSK methods for devices that do not support tls certificates or have a bad user experience with them (looking at you chromebooks!). We use a product called SecureW2 for self-service user onboarding to WiFi which inserts the certificate into the device. 3. What were the major pain points during implementation? * Client onboarding via a local captive portal. Client captive portal browsers are volatile and can their behavior can severely affect the client experience. 4. What were the major use cases you were resolving/resolved? * We were looking to move away from EAP-PEAP largely for security and convenience reasons. One particular pain point was the regularly scheduled expiration of user account passwords. This in turn would knock a device with saved EAP-PEAP credentials off of the network. Our client certificates are valid for a longer period of time and largely avoid this issue. Network access is tied to a combination of valid certificate and valid account lifecycle check. 5. Anything you would do differently if you do it again? * I would have liked to have spent more time polishing the onboarding experience. Our deployment timeline however did not allow for it. As other threads on this list have mentioned, if you go down this road you will be served well by testing your workflow extensively and often. Each device type has different behaviors of captive portal behavior as well as the possibility of application changes with new device software updates. Ryan -- Ryan Johnston he/him/his Associate Director of Infrastructure DePaul University 55 E Jackson Blvd | Chicago, Illinois 60604 https://www.depaul.edu<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.depaul.edu_&d=DwMGaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=Hm0-8xFXZfiUKlZ8wKHEBUOusyBg94iy6Nm0o1r46Kc&s=1SqOnWQPQqyaGnbLYNz1gYMMvUqOE44GyqBzpIkhzHM&e=> | https://helpdesk.depaul.edu<https://urldefense.proofpoint.com/v2/url?u=https-3A__helpdesk.depaul.edu&d=DwMGaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=Hm0-8xFXZfiUKlZ8wKHEBUOusyBg94iy6Nm0o1r46Kc&s=Ta8-UBbZXRg_eMn25NBehV3HwsNcw7Tm6ljacCvsl5c&e=> From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Brady J. Ballstadt Sent: Monday, April 13, 2020 9:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [EXT] [WIRELESS-LAN] NAC/authentication implementations Hello everyone, Have a few questions as we do some research to add on to our NAC implementation and trying to avoid issues or at least minimize them. 1. If you have a NAC solution do you do port based auth? 2. If you have a NAC solution do you do eap-tls? If so how are you handling the certification “push” to devices? 3. What were the major pain points during implementation? 4. What were the major use cases you were resolving/resolved? 5. Anything you would do differently if you do it again? Any extra information would be great as well. Thank you, Brady Ballstadt University of Arkansas ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMGaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=Hm0-8xFXZfiUKlZ8wKHEBUOusyBg94iy6Nm0o1r46Kc&s=_BNWxI9IWXak5BisiIAQ93PVF8X3jSW2X7cAVv8_z-A&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMGaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=Hm0-8xFXZfiUKlZ8wKHEBUOusyBg94iy6Nm0o1r46Kc&s=_BNWxI9IWXak5BisiIAQ93PVF8X3jSW2X7cAVv8_z-A&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMGaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=hlbTq_n9fz-oZs6vHcy2QCi4Q3-iJzj-MjbU4srFOeE&s=5P6_tFE_MQbo9-LcTMMXVAbmohFjaBW-IvfKqKozpb4&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMGaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=hlbTq_n9fz-oZs6vHcy2QCi4Q3-iJzj-MjbU4srFOeE&s=5P6_tFE_MQbo9-LcTMMXVAbmohFjaBW-IvfKqKozpb4&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community