802.1x port-based authentication - when and why?

Donahue

@scottalanmiller said in 802.1x port-based authentication - when and why?:

...(like they knocked the cable off a desk and it plugged itself in as it fell.)

This feels like it should be a meme of some sort.

scottalanmiller

@donahue said in 802.1x port-based authentication - when and why?:

@scottalanmiller said in 802.1x port-based authentication - when and why?:

...(like they knocked the cable off a desk and it plugged itself in as it fell.)

This feels like it should be a meme of some sort.

Someone tell XKCD

Donahue

how to get him on ML?

scottalanmiller

@donahue said in 802.1x port-based authentication - when and why?:

how to get him on ML?

Now that would be awesome!

Paging Randall Munroe

crustachio

@dashrender said in 802.1x port-based authentication - when and why?:

The whole disabling ports seems like a waste of time. If someone wants on the network, they'll simply unplug a printer and plug in. They know that line is live. Or they will unplug their own computer, again, they know it's live.

This is actually the real power of 802.1x. It can do more than just toggle a switchport on/off. If you tie your 802.1x implementation to a policy manager/access server, you can dynamically assign VLANs and/or ACLs to that switchport.

So that printer is live on the network because it matches certain criteria (certificate, predefined MAC whitelist, device fingerprint, etc), but if someone unplugs it and plugs their laptop in the same port it no longer matches and is blackholed (or gets whatever policy you wish). Same with swapping your LAN PC for a BYOD laptop. The traditional "port tagged as VLAN xyz" can't protect you in this situation, but a policy-based 802.1x implementation gives you total control.

Of course you need a NAC server of some kind to be able to achieve this, but in the spirit of the OP, 802.1x can do quite a lot more than just basic switchport toggling.

Also, it's commonly relied on for WiFi access control. When you consider any WiFi network that touches the LAN as essentially an invisible switch that anyone can touch without physical access restrictions, then 802.1x auth starts to look pretty attractive.

Dashrender

@crustachio said in 802.1x port-based authentication - when and why?:

@dashrender said in 802.1x port-based authentication - when and why?:

The whole disabling ports seems like a waste of time. If someone wants on the network, they'll simply unplug a printer and plug in. They know that line is live. Or they will unplug their own computer, again, they know it's live.

This is actually the real power of 802.1x. It can do more than just toggle a switchport on/off. If you tie your 802.1x implementation to a policy manager/access server, you can dynamically assign VLANs and/or ACLs to that switchport.

So that printer is live on the network because it matches certain criteria (certificate, predefined MAC whitelist, device fingerprint, etc), but if someone unplugs it and plugs their laptop in the same port it no longer matches and is blackholed (or gets whatever policy you wish). Same with swapping your LAN PC for a BYOD laptop. The traditional "port tagged as VLAN xyz" can't protect you in this situation, but a policy-based 802.1x implementation gives you total control.

Of course you need a NAC server of some kind to be able to achieve this, but in the spirit of the OP, 802.1x can do quite a lot more than just basic switchport toggling.

Also, it's commonly relied on for WiFi access control. When you consider any WiFi network that touches the LAN as essentially an invisible switch that anyone can touch without physical access restrictions, then 802.1x auth starts to look pretty attractive.

Assuming you're doing this for your switches as well, you also need switches that support that, I have no clue at what price point those become available.

JaredBusch

@Dashrender said in 802.1x port-based authentication - when and why?:

@crustachio said in 802.1x port-based authentication - when and why?:

@dashrender said in 802.1x port-based authentication - when and why?:

The whole disabling ports seems like a waste of time. If someone wants on the network, they'll simply unplug a printer and plug in. They know that line is live. Or they will unplug their own computer, again, they know it's live.

This is actually the real power of 802.1x. It can do more than just toggle a switchport on/off. If you tie your 802.1x implementation to a policy manager/access server, you can dynamically assign VLANs and/or ACLs to that switchport.

So that printer is live on the network because it matches certain criteria (certificate, predefined MAC whitelist, device fingerprint, etc), but if someone unplugs it and plugs their laptop in the same port it no longer matches and is blackholed (or gets whatever policy you wish). Same with swapping your LAN PC for a BYOD laptop. The traditional "port tagged as VLAN xyz" can't protect you in this situation, but a policy-based 802.1x implementation gives you total control.

Of course you need a NAC server of some kind to be able to achieve this, but in the spirit of the OP, 802.1x can do quite a lot more than just basic switchport toggling.

Also, it's commonly relied on for WiFi access control. When you consider any WiFi network that touches the LAN as essentially an invisible switch that anyone can touch without physical access restrictions, then 802.1x auth starts to look pretty attractive.

Assuming you're doing this for your switches as well, you also need switches that support that, I have no clue at what price point those become available.

The Ubiquiti EdgeSwitch line supports it since firmware 1.7.0

scottalanmiller

@Dashrender said in 802.1x port-based authentication - when and why?:

@crustachio said in 802.1x port-based authentication - when and why?:

@dashrender said in 802.1x port-based authentication - when and why?:

The whole disabling ports seems like a waste of time. If someone wants on the network, they'll simply unplug a printer and plug in. They know that line is live. Or they will unplug their own computer, again, they know it's live.

This is actually the real power of 802.1x. It can do more than just toggle a switchport on/off. If you tie your 802.1x implementation to a policy manager/access server, you can dynamically assign VLANs and/or ACLs to that switchport.

So that printer is live on the network because it matches certain criteria (certificate, predefined MAC whitelist, device fingerprint, etc), but if someone unplugs it and plugs their laptop in the same port it no longer matches and is blackholed (or gets whatever policy you wish). Same with swapping your LAN PC for a BYOD laptop. The traditional "port tagged as VLAN xyz" can't protect you in this situation, but a policy-based 802.1x implementation gives you total control.

Of course you need a NAC server of some kind to be able to achieve this, but in the spirit of the OP, 802.1x can do quite a lot more than just basic switchport toggling.

Also, it's commonly relied on for WiFi access control. When you consider any WiFi network that touches the LAN as essentially an invisible switch that anyone can touch without physical access restrictions, then 802.1x auth starts to look pretty attractive.

Assuming you're doing this for your switches as well, you also need switches that support that, I have no clue at what price point those become available.

It's certainly expensive compared to unmanaged switches. But most cheap smart switches do this. And they are decently cheap, cheap enough to use at home.

Reid Cooper

Some cheap systems like Netgear or Ubiquiti support that, I believe.

Reid Cooper

Cheap meaning low cost, of course.