802.1x port-based authentication - when and why?
-
@pete-s said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
If you are plugging something in to a company asset that you were not told to do, you are intentionally doing something. Shit doesn't plug itself it. Shit does not bring itself into the office.
That reminds me of something. When you set up 802.1x on a windows computer, is it the user account that is logged in that you are authenticating or is it the computer itself or both?
Depends on how you set it up. But Windows is able to do both User and Computer authentication.
-
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
Stupidity or ignorance doesn't mean malicious.
I'm going to have to go with JB on this one.
Malicious is defined as intent to do harm, which is why I disagree. If the intent is not there, it's not malicious.
LOL - now that's a Scott answer if there ever was one.
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@dashrender said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
@jaredbusch said in 802.1x port-based authentication - when and why?:
@obsolesce said in 802.1x port-based authentication - when and why?:
It's not just protecting against malicious actors. It could be to make sure employees aren't bringing in their own devices and putting them onto the LAN, bypassing external protections.
That is a malicious actor.
Stupidity or ignorance doesn't mean malicious.
I'm going to have to go with JB on this one.
Malicious is defined as intent to do harm, which is why I disagree. If the intent is not there, it's not malicious.
LOL - now that's a Scott answer if there ever was one.
It was THAT good.
But he's right, accidents are not malicious. However, we've discussed malicious before, and "willing to do harm" seems to fit within the definition, when someone willingly puts the business at risk for personal gain. It's not that the goal is the harm, but they harm willingly to further their ends.
A true accident would be if they had no idea they weren't supposed to do it or that they were doing it (like they knocked the cable off a desk and it plugged itself in as it fell.)
-
@scottalanmiller said in 802.1x port-based authentication - when and why?:
...(like they knocked the cable off a desk and it plugged itself in as it fell.)
This feels like it should be a meme of some sort.
-
@donahue said in 802.1x port-based authentication - when and why?:
@scottalanmiller said in 802.1x port-based authentication - when and why?:
...(like they knocked the cable off a desk and it plugged itself in as it fell.)
This feels like it should be a meme of some sort.
Someone tell XKCD
-
how to get him on ML?
-
@donahue said in 802.1x port-based authentication - when and why?:
how to get him on ML?
Now that would be awesome!
Paging Randall Munroe
-
@dashrender said in 802.1x port-based authentication - when and why?:
The whole disabling ports seems like a waste of time. If someone wants on the network, they'll simply unplug a printer and plug in. They know that line is live. Or they will unplug their own computer, again, they know it's live.
This is actually the real power of 802.1x. It can do more than just toggle a switchport on/off. If you tie your 802.1x implementation to a policy manager/access server, you can dynamically assign VLANs and/or ACLs to that switchport.
So that printer is live on the network because it matches certain criteria (certificate, predefined MAC whitelist, device fingerprint, etc), but if someone unplugs it and plugs their laptop in the same port it no longer matches and is blackholed (or gets whatever policy you wish). Same with swapping your LAN PC for a BYOD laptop. The traditional "port tagged as VLAN xyz" can't protect you in this situation, but a policy-based 802.1x implementation gives you total control.
Of course you need a NAC server of some kind to be able to achieve this, but in the spirit of the OP, 802.1x can do quite a lot more than just basic switchport toggling.
Also, it's commonly relied on for WiFi access control. When you consider any WiFi network that touches the LAN as essentially an invisible switch that anyone can touch without physical access restrictions, then 802.1x auth starts to look pretty attractive.
-
@crustachio said in 802.1x port-based authentication - when and why?:
@dashrender said in 802.1x port-based authentication - when and why?:
The whole disabling ports seems like a waste of time. If someone wants on the network, they'll simply unplug a printer and plug in. They know that line is live. Or they will unplug their own computer, again, they know it's live.
This is actually the real power of 802.1x. It can do more than just toggle a switchport on/off. If you tie your 802.1x implementation to a policy manager/access server, you can dynamically assign VLANs and/or ACLs to that switchport.
So that printer is live on the network because it matches certain criteria (certificate, predefined MAC whitelist, device fingerprint, etc), but if someone unplugs it and plugs their laptop in the same port it no longer matches and is blackholed (or gets whatever policy you wish). Same with swapping your LAN PC for a BYOD laptop. The traditional "port tagged as VLAN xyz" can't protect you in this situation, but a policy-based 802.1x implementation gives you total control.
Of course you need a NAC server of some kind to be able to achieve this, but in the spirit of the OP, 802.1x can do quite a lot more than just basic switchport toggling.
Also, it's commonly relied on for WiFi access control. When you consider any WiFi network that touches the LAN as essentially an invisible switch that anyone can touch without physical access restrictions, then 802.1x auth starts to look pretty attractive.
Assuming you're doing this for your switches as well, you also need switches that support that, I have no clue at what price point those become available.
-
@Dashrender said in 802.1x port-based authentication - when and why?:
@crustachio said in 802.1x port-based authentication - when and why?:
@dashrender said in 802.1x port-based authentication - when and why?:
The whole disabling ports seems like a waste of time. If someone wants on the network, they'll simply unplug a printer and plug in. They know that line is live. Or they will unplug their own computer, again, they know it's live.
This is actually the real power of 802.1x. It can do more than just toggle a switchport on/off. If you tie your 802.1x implementation to a policy manager/access server, you can dynamically assign VLANs and/or ACLs to that switchport.
So that printer is live on the network because it matches certain criteria (certificate, predefined MAC whitelist, device fingerprint, etc), but if someone unplugs it and plugs their laptop in the same port it no longer matches and is blackholed (or gets whatever policy you wish). Same with swapping your LAN PC for a BYOD laptop. The traditional "port tagged as VLAN xyz" can't protect you in this situation, but a policy-based 802.1x implementation gives you total control.
Of course you need a NAC server of some kind to be able to achieve this, but in the spirit of the OP, 802.1x can do quite a lot more than just basic switchport toggling.
Also, it's commonly relied on for WiFi access control. When you consider any WiFi network that touches the LAN as essentially an invisible switch that anyone can touch without physical access restrictions, then 802.1x auth starts to look pretty attractive.
Assuming you're doing this for your switches as well, you also need switches that support that, I have no clue at what price point those become available.
The Ubiquiti EdgeSwitch line supports it since firmware 1.7.0
-
@Dashrender said in 802.1x port-based authentication - when and why?:
@crustachio said in 802.1x port-based authentication - when and why?:
@dashrender said in 802.1x port-based authentication - when and why?:
The whole disabling ports seems like a waste of time. If someone wants on the network, they'll simply unplug a printer and plug in. They know that line is live. Or they will unplug their own computer, again, they know it's live.
This is actually the real power of 802.1x. It can do more than just toggle a switchport on/off. If you tie your 802.1x implementation to a policy manager/access server, you can dynamically assign VLANs and/or ACLs to that switchport.
So that printer is live on the network because it matches certain criteria (certificate, predefined MAC whitelist, device fingerprint, etc), but if someone unplugs it and plugs their laptop in the same port it no longer matches and is blackholed (or gets whatever policy you wish). Same with swapping your LAN PC for a BYOD laptop. The traditional "port tagged as VLAN xyz" can't protect you in this situation, but a policy-based 802.1x implementation gives you total control.
Of course you need a NAC server of some kind to be able to achieve this, but in the spirit of the OP, 802.1x can do quite a lot more than just basic switchport toggling.
Also, it's commonly relied on for WiFi access control. When you consider any WiFi network that touches the LAN as essentially an invisible switch that anyone can touch without physical access restrictions, then 802.1x auth starts to look pretty attractive.
Assuming you're doing this for your switches as well, you also need switches that support that, I have no clue at what price point those become available.
It's certainly expensive compared to unmanaged switches. But most cheap smart switches do this. And they are decently cheap, cheap enough to use at home.
-
Some cheap systems like Netgear or Ubiquiti support that, I believe.
-
Cheap meaning low cost, of course.