We moved to “wired-auth” about 2 years ago. The original goal was to authenticate every wired port and make it more consistent with wireless. It comes down to tracking and accountability for access to our network. A very happy outcome was it basically got rid of all moves/add/changes. As now, all our ports can support any vlan wanted/needed. It is just a matter of the end user properly authenticating the device. The end users are very happy with this model.
Now wired/wireless authentication can be done in many ways. On both sides we currently support a combination of MAC-AUTH, PEAP and EAP-TLS, listed from least to most secure. Our goal is to move that slider as far to the secure side as possible. I know the arguments about is EAP-TLS worth the effort. But it is more secure and I think it should be a goal. On the wireless side we are using securew2 and are moving to EAP-TLS. With a goal of eventually removing PEAP. We are about 25% there as each year 25% of our students turn over. So a four year plan. On the wired side it is more difficult as certs are a real pain on wired staff workstations. It all boils down to having admin privs on these machines as most faculty do not but you want the cert in their name. The other issue is the whole auth before login and multiple users. Yeah there are ways around it, but it is a major pain. So we have not made very many in roads into the cert on the wired side, or even the peap for that matter. But we keep trying to move that slider as far to the right as possible. From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Monday, April 13, 2020 3:51 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [EXT] [WIRELESS-LAN] NAC/authentication implementations Where wired 802.1X is a goal, have you seen real-world security issues happen in your environments that this will solve, or is the target one of evolution and prevention? Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu SYRACUSE UNIVERSITY syr.edu From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of McClintic, Thomas Sent: Monday, April 13, 2020 3:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] [EXT] [WIRELESS-LAN] NAC/authentication implementations We are currently in the beginning of implementing NAC on the wire. We are using a phased approach to ease clients into it. Phase 1a) Introduce open MAC authentication to all ports, this helps verify connectivity and licensing. Phase 1b) Rollout certificate enrollment via AD and JAMF for EAP-TLS usage Phase 2a) Enable EAP-TLS authentication along with open MAC and registered MACs, enable AD and JAMF computers for wired authentication Phase 2b) Captive portal for open MAC authentication that enables users to enroll for certificate (using CPPM Onboarding) Phase 3) Begin enforcing EAP-TLS or restricted MAC authentication (to authenticate non-EAL-TLS devices), no authentication leaves you in a captive-portal, bypass this portal and you are restricted to an internet only segmented network We are currently on phase 2a, but are still working on the design and implementation. We are going very slow to minimize impact to users while trying to increase our security of restricting open port access. The ultimate goal will be to know who or what is on each port and enable our security group to dictate the policies. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Johnston, Ryan Sent: Monday, April 13, 2020 2:28 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] [EXT] [WIRELESS-LAN] NAC/authentication implementations **** EXTERNAL EMAIL **** 1. If you have a NAC solution do you do port based auth? * Yes. We use Clearpass to implement. 2. If you have a NAC solution do you do eap-tls? If so how are you handling the certification “push” to devices? * Yes our primary preferred authentication protocol is EAP-TLS, however we do offer and support EAP-PEAP and PSK methods for devices that do not support tls certificates or have a bad user experience with them (looking at you chromebooks!). We use a product called SecureW2 for self-service user onboarding to WiFi which inserts the certificate into the device. 3. What were the major pain points during implementation? * Client onboarding via a local captive portal. Client captive portal browsers are volatile and can their behavior can severely affect the client experience. 4. What were the major use cases you were resolving/resolved? * We were looking to move away from EAP-PEAP largely for security and convenience reasons. One particular pain point was the regularly scheduled expiration of user account passwords. This in turn would knock a device with saved EAP-PEAP credentials off of the network. Our client certificates are valid for a longer period of time and largely avoid this issue. Network access is tied to a combination of valid certificate and valid account lifecycle check. 5. Anything you would do differently if you do it again? * I would have liked to have spent more time polishing the onboarding experience. Our deployment timeline however did not allow for it. As other threads on this list have mentioned, if you go down this road you will be served well by testing your workflow extensively and often. Each device type has different behaviors of captive portal behavior as well as the possibility of application changes with new device software updates. Ryan -- Ryan Johnston he/him/his Associate Director of Infrastructure DePaul University 55 E Jackson Blvd | Chicago, Illinois 60604 https://www.depaul.edu<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.depaul.edu_&d=DwMGaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=Hm0-8xFXZfiUKlZ8wKHEBUOusyBg94iy6Nm0o1r46Kc&s=1SqOnWQPQqyaGnbLYNz1gYMMvUqOE44GyqBzpIkhzHM&e=> | https://helpdesk.depaul.edu<https://urldefense.proofpoint.com/v2/url?u=https-3A__helpdesk.depaul.edu&d=DwMGaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=Hm0-8xFXZfiUKlZ8wKHEBUOusyBg94iy6Nm0o1r46Kc&s=Ta8-UBbZXRg_eMn25NBehV3HwsNcw7Tm6ljacCvsl5c&e=> From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Brady J. Ballstadt Sent: Monday, April 13, 2020 9:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [EXT] [WIRELESS-LAN] NAC/authentication implementations Hello everyone, Have a few questions as we do some research to add on to our NAC implementation and trying to avoid issues or at least minimize them. 1. If you have a NAC solution do you do port based auth? 2. If you have a NAC solution do you do eap-tls? If so how are you handling the certification “push” to devices? 3. What were the major pain points during implementation? 4. What were the major use cases you were resolving/resolved? 5. Anything you would do differently if you do it again? Any extra information would be great as well. Thank you, Brady Ballstadt University of Arkansas ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMGaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=Hm0-8xFXZfiUKlZ8wKHEBUOusyBg94iy6Nm0o1r46Kc&s=_BNWxI9IWXak5BisiIAQ93PVF8X3jSW2X7cAVv8_z-A&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMGaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=Hm0-8xFXZfiUKlZ8wKHEBUOusyBg94iy6Nm0o1r46Kc&s=_BNWxI9IWXak5BisiIAQ93PVF8X3jSW2X7cAVv8_z-A&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community