The Novell client doesn't use the windows login password (they keep them
blank and actually have a script that deletes *.pwl), and is also configured
to blank out the username. This can be done with NT as well (or at least
instruct users to use blank local windows passwords).
--
Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
List email: [EMAIL PROTECTED]
Homepage: http://jason.artoo.net/
""Chuck Larrieu"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> User name is easily found by looking at the default login screen on a
> windoze device.
>
> As for the password, it's no doubt easily found on one of the post-it's on
> the edge of the monitor. ;->
>
> I'm with Howard - exactly what does a layer two security feature
accomplish
> in real terms?
>
> Chuck
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, April 17, 2001 5:51 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Windows XP and Catalyst 5000 Issues ... [7:911]
>
> True, but even if you sat down at a PC and got its MAC address (or just
used
> that same PC), you'd still have to have the username/password for any real
> access, as even their Bordermanager proxy is based on being authenticated
to
> NDS. But good point if that's all a person was using to verify a valid
> connection to a network.
>
> But the without locking it down to a MAC address, what would stop a
> broadcast storm at the local switch? What other authentication methods
are
> there at layer 2? I mean, I guess you could have some sort of script that
> would disable the port if the user failed to authenticate with your
servers
> within a given amount of time... but in that time a WinXP PC would have
> melted a Cat5k (or worse: a program that simulates the same problem that
can
> be run on an OS).
>
> --
> Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
> List email: [EMAIL PROTECTED]
> Homepage: http://jason.artoo.net/
>
>
>
> ""Howard C. Berkowitz"" wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Frankly, I'm very dubious about any security scheme based on MAC
> > address alone, for wired or wireless networks. At best, it's
> > controlling which device can plug into a port, using an identifier
> > that can be spoofed without all that much effort. The MAC address
> > proves absolutely nothing about the identity of the person using the
> > device. I'm really not sure what problem, in most cases, it solves.
> > Once the device is connected, there are no controls.
> >
> > Data link level encryption does make sense for wireless networks.
> >
> > If I am concerned about random devices plugging into a LAN and doing
> > evil, I'd much rather that they have to connect to an authenticating
> > proxy server, or let them in but control server access, or require
> > encryption with authentication of the user ID. There are other
> > methods for controlling broadcast attacks.
> >
> > >Regarding layer 2 security, it all comes down to how much of an
> > >administrative load you can handle. We have one customer that locks
each
> > >port down to the MAC address of what is supposed to be there. No
> > >unauthorized traffic is allowed to touch the network beyond the switch
> port
> > >which just drops it. They very rarely if ever have moves, and when
they
> do
> > >it all has to be coordinated with the lan/switch netadmin. I hate it
> > >because I can't just come in and plug in my laptop anywhere ;-p
> > >
> > >Of course, this wouldn't work with an IP phone install where you're
> expected
> > >to be able to move phones all of the time. I'm sure there is some way
to
> > >create a list of MAC addresses (and maybe tag them with an appropriate
> VLAN,
> > >like a generic "PUBLIC" VLAN for all unknown MAC addresses, which is
> > >essentially firewalled from the rest of the network). Still, this same
> bug
> > >would have melted a network configured as such.
> > >
> > >
> > >--
> > >Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
> > >List email: [EMAIL PROTECTED]
> > >Homepage: http://jason.artoo.net/
> > >
> > >
> > >
> > >""Priscilla Oppenheimer"" wrote in message
> > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > >> Taking a step back, she asked, "so what's with this 802.1x standard,
> > >> anyway?" Is anyone actually using it?
> > >>
> > >> Data-link-layer security definitely makes sense for 802.11 wireless
> > >> networks. Does it really make sense for wired networks? Is the bug
> > >> happening with wired or wireless networks? It sounds like it's
> happening
> > >> with wired networks since the bug is with the Catalyst 5000 EARL,
> though
> > >> some of the reports have called 802.1x a wireless standard. That's
> pretty
> > >> bad that the switches forward the multicasts out blocked ports. How
> could
> > >> that have happened? Just a bug I guess.
> > >>
> > >> Back to my original question. Does security at the data-link-layer
> make
> > >> sense for wired networks? I guess there could be cases where a
person
> has
> > >> physical access to an Ethernet port but is not supposed to be able
to
> use
> > >> the network. Maybe in a conference room or lobby. How does the
> > >> authentication actually take place? Do you need to use Radius or
> TACACS
> > >also?
> > >>
> > >> And one more question, is anyone actually using Windows XP yet? I
> guess
> > >> people must be for this bug to have been found.
> > >>
> > >> Interesting thread. Would anyone care to share some "big picture"
> > comments
> > >> on the subject?
> > >>
> > >> Priscilla
> > >>
> > >> At 11:10 AM 4/17/01, Hornbeck, Timothy wrote:
> > >> > > Possible solution?
> > >> > >
> > >> > > * Operating systems, such as Windows XP, will attempt 802.1X
> > >> > > authentication by sending frames to the Authenticator PAE on the
> > >> > > destination multicast address 01-80-c2-00-00-0f and
> > 01-80-c2-00-00-03.
> > >On
> > >> > > Catalyst 5000 family switches with EARL1, EARL1+, EARL1++, or
> > EARL1.1,
> > >> > > these frames will be forwarded on all ports including spanning
> tree
> > >> > > blocking ports. Because these frames are forwarded on blocked
> ports,
> > >the
> > >> > > network will experience a Layer 2 multicast storm.
> > >> > > Workaround 1: Enter the following commands to configure a
> permanent
> > >CAM
> > >> > > entry for 01-80-c2-00-00-0f and 01-80-c2-00-00-03 to be directed
> out
> > >an
> > >> > > unused port.
> > >> > > * set cam permanent 01-80-c2-00-00-0f mod/port
> > > > > > * set cam permanent 01-80-c2-00-00-03 mod/port
> > >> > > Workaround 2: Follow this procedure to configure Windows XP to
not
> > >send
> > >> > > these frames:
> > >> > > a. Cick on the associated Local Area Connection under
> Network
> > >> > > Connections.
> > >> > > b. Click on the Authentication Tab.
> > >> > > c. Uncheck "Network Access Control using IEEE 802.1x."
> > >> > > This problem is resolved in software release 6.2(1).
(CSCdt62732)
> > > > >
> > > ________
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=1038&t=911
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
