Re: NAC/authentication implementations

[Green, William C]

If you have a NAC solution do you do port based auth?
Units may choose to activate NAC on ports of supporting equipment (drop down 
menu for them in a web interface we provide).  It supports both 802.1x and MAC 
Address Bypass (MAB) with an on-boarding redirect portal.

To date there are only several thousand ports activated outside the residential 
network (which is all NAC).  Security initiatives will likely take that far 
higher in the coming years.


If you have a NAC solution do you do eap-tls? If so how are you handling the 
certification “push” to devices?
No, PEAP at this time for the greatest compatibility.

What were the major pain points during implementation?
802.1x:  Supplicants for wired 802.1x are not as mature as wired, but are 
getting better.

MAB:  Browsers resist redirects.  This can lead to minute/minutes timeouts for 
the end user resulting in calls to the help desk.  Also, our distributed IT 
support wish to control this interaction, and we have not implemented a portal 
for them to manages thousands of devices yet.

Windows:  most are deployed via a GPO that was painless.  What we did not do 
initially was integrate with the Active Directory to support machine 
credentials (we have a FreeRadius environment fro 802.1x given scale).  When 
users logout, the machine goes to an unauth state.  While our ACLs allowed 
access to IP ranges with management servers, the community wanted access for 
other items.  With support of the machine credentials, when users log out the 
machine logs in under its credentials and is still accessible.  However, we 
lack the Network level tracking of IP action to user auth — needing to go 
through the AD logs to see who may have been logged into a machine remotely if 
issues arise.

Mac OS: with recent versions, 802.1x is on by default and one has to go to 
efforts to shut it off.  There are issues in a shared computing environment 
(e.g. computer lab) that have not been resolved — they do not cleanly implement 
the same concepts as a Windows environment, even with local scripting.

Arriving at the right combination to have 802.1x and MAB required IBNS 2.0 IOS 
versions which limits it to 70% of switch port inventory.  We are returning 
ACLs to implement various policies.  Older switches have limited capabilities 
as to how deep those ACLs can be.  Getting the timers correct was a bit of work.

What were the major use cases you were resolving/resolved?
First we wanted automation of port configurations.  Second we expected future 
compliance would require NAC (that shoe has now dropped).  It ties in with a 
push from wireless to move inventory and information risk assessment to the end 
user (since that is now knowable and was not possible in our wired environment 
previously).


Anything you would do differently if you do it again?
We'd probably do MAB only first to get the automation piece across the entire 
inventory and wait more years for all switches to support IBNS 2.0.




William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
it.utexas.edu<https://www.utexas.edu> | 
gr...@austin.utexas.edu<https://www.utexas.edu>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community