If you have a NAC solution do you do port based auth? Units may choose to activate NAC on ports of supporting equipment (drop down menu for them in a web interface we provide). It supports both 802.1x and MAC Address Bypass (MAB) with an on-boarding redirect portal.
To date there are only several thousand ports activated outside the residential network (which is all NAC). Security initiatives will likely take that far higher in the coming years. If you have a NAC solution do you do eap-tls? If so how are you handling the certification “push” to devices? No, PEAP at this time for the greatest compatibility. What were the major pain points during implementation? 802.1x: Supplicants for wired 802.1x are not as mature as wired, but are getting better. MAB: Browsers resist redirects. This can lead to minute/minutes timeouts for the end user resulting in calls to the help desk. Also, our distributed IT support wish to control this interaction, and we have not implemented a portal for them to manages thousands of devices yet. Windows: most are deployed via a GPO that was painless. What we did not do initially was integrate with the Active Directory to support machine credentials (we have a FreeRadius environment fro 802.1x given scale). When users logout, the machine goes to an unauth state. While our ACLs allowed access to IP ranges with management servers, the community wanted access for other items. With support of the machine credentials, when users log out the machine logs in under its credentials and is still accessible. However, we lack the Network level tracking of IP action to user auth — needing to go through the AD logs to see who may have been logged into a machine remotely if issues arise. Mac OS: with recent versions, 802.1x is on by default and one has to go to efforts to shut it off. There are issues in a shared computing environment (e.g. computer lab) that have not been resolved — they do not cleanly implement the same concepts as a Windows environment, even with local scripting. Arriving at the right combination to have 802.1x and MAB required IBNS 2.0 IOS versions which limits it to 70% of switch port inventory. We are returning ACLs to implement various policies. Older switches have limited capabilities as to how deep those ACLs can be. Getting the timers correct was a bit of work. What were the major use cases you were resolving/resolved? First we wanted automation of port configurations. Second we expected future compliance would require NAC (that shoe has now dropped). It ties in with a push from wireless to move inventory and information risk assessment to the end user (since that is now knowable and was not possible in our wired environment previously). Anything you would do differently if you do it again? We'd probably do MAB only first to get the automation piece across the entire inventory and wait more years for all switches to support IBNS 2.0. William Green, Director of Networking and Telecommunications The University of Texas at Austin | ITS | 512-475-9295 | it.utexas.edu<https://www.utexas.edu> | gr...@austin.utexas.edu<https://www.utexas.edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community