Thank you Darren,

As I expected. What we are trying to do is to keep non company devices off the network. We have patch management & IDS implemented already. I'm thinking a full blown NAC solution is expensive and possibly over-kill. Also I don't want to do MAC port security because of administrative overhead.

What if we set up service account on the hosts that would log in and be used to keep the devices on the network. we could then re-authenticate every 7200 secs or whatever as a keepalive.

Thoughts?

Catalyst switches offer configurable behavior in this regard. By default, switches offer a bidrectional controlled port. This means nothing should come into or out of the network until authorized by 1X. But this would not inter-operate with the above use case, and it is written into the 1X spec as well as a guideline for how to deal with this. It is a unidirectional controlled port. This means traffic can exit the network (like to wake a machine up for patches, etc.) but traffic is still disallowed inbound until authorized by 1X. Thus, the expectation here is that any machine that uses this must authenticate itself for network access .. which typcially means machine-auth as pointed out above.

Hope this helps,

Thanks,

So what your saying is that although the device is not in an authenticated state it will still take software pushes or remote access. It just cant initiate the communication?

Regards,

Mike

Let me describe it with an example:

* 802.1X-authenticate my PC. The port is up and authenticated.

* Put my machine in hibernate mode when I leave for the evening (port goes down), and I am using a WoL utility to wake my machines up (I might have been using this before 1X anyway).

* With the described feature, this allows me to send my WoL traffic to my PC to wake it up, even though the port is UNAUTHORIZED.

* However, remember you're still running 802.1X, so my machine must 802.1X-authenticate itself when it wakes up to get proper network access.

Hope this helps,

YES .... I understand now.

You can use both actually.

We use Aegis with machine authentication (Active Directory SID) and user auth on top.

So when the PC is 'on' it is authenticated using it's SID entry in Active directory. When the user comes in and logs on, the authentication process starts again to authenticate the specific user...

Exellent Jason...Thanks

If you guys don't mind, I'd like to use the great talent pool on this post with a counter-question.

I'm deploying a wired 802.1 infrastructure and the simplest method seems to use MD5 on my Windows XP workstations.

1) Is this secure enough and is the most commonly deployed encryption protocol for wired 802.1x?

2) What are my other options without installing a certificate server?

Thank you

In most cases MD5 is not strong enough anymore.

From the choices TLS, TTLS, PEAP and FAST you could take a look at TTLS, PEAP and FAST. With these three you only need a server certificate to make it work. If you use Cisco's ACS it is easy, it has a build-in CA. Otherwise take a look at the Microsoft CA, freely available on server installations, and works fine.

I've used them al except for TLS, and they are pretty easy to implement. TTLS has a lot of flexibility for inner authentication protocols, PEAP is already supported by the build in XP client (with SP2 you case use SSO when authenticating to AD). Use FAST if you are going for NAC as well.