RE: 802.1x Authentication

• Previous message: Jim Harrison (ISA): "RE: GPO that forces users to use a proxy server."
• In reply to: Wozny, Scott (US - New York): "RE: 802.1x Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Wozny, Scott (US - New York)'" <swozny@deloitte.com>, "'Billy Dodson'" <billy@pmm-i.com>, <focus-ms@securityfocus.com>
Date: Thu, 28 Oct 2004 19:28:43 -0700

Yes, you can move the user who does not auth to a separate VLAN or apply
filters to keep them off your internal network and still allow them access
to the internet. This works on almost every NAS. Thanks to MS you can log
out and back in without the need to reboot now or hack the registry
(supplicantmode setting in the registry).

To clarify my point.
If you set your NIC to use EAP (802.1x) and the switch (NAS) is not set to
use EAP, you will get full access to the network without the need to auth.
The default setting for XP is to turn on authentication, check your auth tab
in the network settings.

One issue I have seen is the need to have the machine on the network when no
user is logged in. That can be done with machine certs. Make sure to use
simple certificate selection and turn off Validate server certificate. This
will make it easier to setup. You should play with these settings to see
how they effect usage before deploying.

jef

-----Original Message-----
From: Wozny, Scott (US - New York) [mailto:swozny@deloitte.com]
Sent: Thursday, October 28, 2004 1:31 PM
To: Jef Feltman; Billy Dodson; focus-ms@securityfocus.com
Subject: RE: 802.1x Authentication

It's within the standard to set up a default role that users who choose not
to authenticate will be put into (i.e. HTTP, HTTPS and VPNs only for
visitors). It's also possible to do multiple authentication on the same
port if the switch allows it. I would suggest experimenting with the
wireless setting you've found and apply them to wired interfaces. I think
you'll be surprised how much of it works.

Scott

-----Original Message-----
From: Jef Feltman [mailto:feltman@pacbell.net]
Sent: Wednesday, October 27, 2004 10:30 PM
To: 'Billy Dodson'; focus-ms@securityfocus.com
Subject: RE: 802.1x Authentication

If the switch is not setup for 802.1x then it will not ask for
authentication for access.

If the switch is setup for 802.1x then every computer and/or user will
need
to authenticate. You can place this requirement on each port you wish
to
have authenticate.

PLUG
Integrity www.zonelabs.com supports 802.1x on switches and wireless
AP's, if
the device supports it.
PLUG

jef

-----Original Message-----
From: Billy Dodson [mailto:billy@pmm-i.com]
Sent: Wednesday, October 27, 2004 9:21 AM
To: focus-ms@securityfocus.com
Subject: 802.1x Authentication

Is is possible through active directory group policy, or any other
means, to
change the configuration of the ethernet authentication tab? I am
trying to
enable PEAP authentication and validate certificates. PEAP is not the
default setting.
 
I found in group policy where this can be changed for wireless clients,
but
I need to make this changes for a wired connection. Any ideas?
 
Thanks,
 
Billy

------------------------------------------------------------------------

---
------------------------------------------------------------------------
---
This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law.  If
you are not the intended recipient, you should delete this message.  Any
disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited.
---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Jim Harrison (ISA): "RE: GPO that forces users to use a proxy server."
• In reply to: Wozny, Scott (US - New York): "RE: 802.1x Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]