Implementing 802.1x for a multisite (100+) organisation. Using bonded authentication to verify both machine and user supplicants prior to network access being granted. Great for Windows systems, not so good for our OS X clients as they don’t do machine authentication.
I have recently started a new project in the day job. We have been asked to construct a test environment that will allow secure wireless access for company equipment to the internal network and at the same time allow guests to use their own wireless devices to connect to the Internet but be kept far away from the internal network. Once testing is complete the ‘model’ will then be applied to just under 100 sites with a potential user base of 45, 000 unique users.
It was decided to implement IEEE 802.1x for users and machines using a wireless connection. This post has been written, not to show how this can be setup, there are millions of them on the web already, instead, it has been written to jot down some of the problems/issues/obstacles that were encountered.
Two SSIDs were created. The first SSID, lets call it ‘Guest’, was broadcast and visible to all users. Guests/Staff with their own equipment can see and connect to this SSID giving them access to the internet via an internal portal which their browser is redirected to when they first try to browse to a webpage. The guest enters a user name and password (supplied by the company) they are then connected to the net. You’ve probably seen this before; think McDonalds or Starbuck hotspots and the WiFi you get supplied in hotels.
Connecting to the ‘Guest’ SSID also tells the switch to place the client on a guest vlan. The guest vlan keeps the guest clients separate from the internal network and it was also configured to block peer-to-peer connections.
The second SSID, lets call it ‘company’, was hidden and only known company equipment was allowed to be configured and connected to this SSID using the 802.1x standard. Depending on the user/computer credentials supplied the user was placed on an appropriate vlan. A regular user would be placed on a user vlan with access to file-share etc. Tech support users were placed on the tech vlan with raised access privileges and so on.
We decided to go for a combined authentication method using client and user credentials held in active directory. If both pieces of information were not present the client would not be allowed to the internal network and would be given a guest experience only.
Windows XP
clients were configured through active directory. You can configure and push an entire wireless policy (SSID, encryption, type of connection, type of 802.1x authentication) via group policy, which is really neat and scarily easy to do.
Windows 2000 (Services Pack 4 only)
This a manual process I’m afraid. The Dell clients we had could not be controlled via windows and the third party software provided by the wireless card manufacturer (Intel) had to be used for configuration.
Mac OS X
The OS from Apple posed a real headache. 802.1x has been natively supported since version 10.3. Unfortunately their implementation only supports user authentication. At present (as far as I can tell) there is no way to authenticate the client as well as the user (10.5 client authentication actually uses a user account and is not true client authentication). This caused a real problem for the security we had envisaged. Switching to user authentication only, would allow guests to put their own equipment onto our internal network.
We did try user authentication with MAC level security for the client but could not get this to work, which is good because management would be a nightmare. We decided to stick with client and user authentication and place the OSX machines on a new SSID with WPA2 encryption and MAC level authentication only. This is a temporary solution. The powers that be have been informed of the risk and they have accepted this.
Mac OS 9
OS 9 does not support 802.1x and these are being phased out.
Linux
We currently do not have any company Linux systems. Linux users can still connect to the ‘Guest’ SSID.
Further reading:
Wikipedia: 802.1x:
http://en.wikipedia.org/wiki/802.1x
TechNet: Access AD wireless policies:
http://tinyurl.com/4fyqjv
TechNet: Configure AD wireless policies:
http://tinyurl.com/45lqx8
Ja.net: 802.1x Implementation (PDF)
http://www.ja.net/documents/publications/technical-guides/8021x-tg-web.pdf
This post is tagged 802.1x, client configuration, mac os x, windows 2000, windows xp, wireless networking, wireless security
No Comments
Leave a Reply