|
1/4/2010 2:27:22 PM
|
topic:
MAC Auth Bypass on 3750
abeats
Posts 5
|
Chuck, the values listed may be considered best practice based on our experience with a wide range of customers over the past few years. The timers are balanced in such a way that the 1X auth will fail relatively quickly, thus allowing the MAC auth to occur within a reasonable amount of time (potentially reducing connectivity issues associated with extended authentication timers). That being said, are you guys using the Microsoft supplicant? If so, what is the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global" value set to? We've found that tweaking this variable, along with a couple of other registry settings, can bring stability and consistency to the login process (assuming you're using the Microsoft 1X supplicant and you're in an Active Directory environment).
|
|
11/12/2009 11:15:41 PM
|
topic:
MAC Auth Bypass on 3750
nixonc
Posts 2
|
Are these values for the interface settings best practices for switch ports? We have a problem where a port occasionally will not authenticate when a person comes in at the beginning of the day. If they unplug their cable, wait a few seconds, and then plug back in the port comes back up.
|
|
9/18/2009 11:23:30 AM
|
topic:
RADIUS scalability testing tools
tpowers
Posts 5
|
I've had some pretty good results with Radius Test for Windows version 2.4 (http://www.radutils.com/). I've queued up as many as 9,999 authentication requests at once. You can also schedule the quantity and interval that you would like them sent.
Ty Powers
Blue Spruce Technologies
|
|
9/17/2009 10:20:22 AM
|
topic:
RADIUS scalability testing tools
seth
Posts 1
|
One other tool that is designed to be used for RADIUS testing is the Radlogin v4 (RADIUS Test Client), which is part of the RadiusNT product by IEA Software.
This test client is a free, graphically interactive (via web based GUI) that acts as a test client for RADIUS systems and has the ability to send RADIUS Authentication and Accounting messages at a high rate of speed through iterations of up to 1,000,000 requests per run.
http://www.iea-software.com/products/radlogin4.cfm
|
|
9/17/2009 9:27:45 AM
|
topic:
RADIUS scalability testing tools
charles
Posts 1
|
There appear to be a number of free test-tool options out there.
As a start, from http://freeradius.org/features/fast.html (the horse's mouth, so to speak):
"The best way to determine the performance of a server is via testing. FreeRADIUS comes with a tool called radclient, which can be used for basic peformance testing. A third party tool called RadPerf is also available. It uses the FreeRADIUS libraries to implement the RADIUS portion, and then builds more complex functionality on top of that. It can be used to simulate user logins, and can auto-generate accounting packets for user sessions. "
The referenced tool is at http://networkradius.com/radperf.html
|
|
9/17/2009 8:44:09 AM
|
topic:
RADIUS scalability testing tools
admin
Posts 5
|
Does anyone know of any good RADIUS scalability testing tools? The specific goal is to test the scalability (ability to process a large number of auth requests) of the authentication system and specifically look at the scalability of RADIUS and Beacon.
|
|
5/22/2009 11:12:22 AM
|
topic:
Cisco web-auth & Great Bay Sponsored Guest Access
Eric Winch
Posts 6
|
Hi IT Sec tech,
Cisco web authentication is possible to integrate with Great Bay’s Sponsored Guest Access (SGA). For example a Cisco 3750 allowing an alternative “HTTP” redirected authentication to Great Bay’s SGA LDAP data store. Specifically we configured for 802.1x and MAC Auth Bypass with fallback to HTTP via redirect. Although this is not a requirement, you may also configure web authentication only.
If a user fails 802.1x and MAC Auth Bypass, they would receive an authentication page (hosted on the switch) after attempting to access a web based resource. Login credentials are passed to RADIUS for LDAP lookup against Great Bay’s SGA.
There are a few working parts for this solution, here is a short list
- Cisco Firmware 12.2(50)SE2
- Earlier versions were having issues sending RADIUS Authentication requests when using HTTP authentication
- Configured AAA Authentication and Authorization for RADIUS
- Enabled IP device tracking
- Set authentication proxy banners
- Configured fallback profile not necessary if you want only WEB authentication)
- Created web authentication acl to apply to associated ports
- Configured RADIUS
- “radius-server vsa send authentication” command required
- Configured individual interfaces
- Applied ip admission
- Applied access control list
- Configure your RADIUS server to perform LDAP lookups against Great Bay SGA
- Microsoft IAS does not support external LDAP
|
|
5/21/2009 1:24:43 PM
|
topic:
IF MAP - Great Bay
tpowers
Posts 5
|
I saw this work great at Interop earlier this week. Great Bay's Beacon re-profiled an endpoint based on a behavior change and then published IF-MAP event data to the MAP server which in turn triggered UAC to move the client to remediation and therefore limited network access. Talk about a few moving parts all working in concert...Very cool (open standards) stuff.
Ty Powers
Blue Spruce Technologies
|
|
5/21/2009 10:48:07 AM
|
topic:
Cisco web-auth & Great Bay Sponsored Guest Access
IT Sec tech
Posts 7
|
Has anyone used the web authentication features on Cisco's 3750 with Great Bay's SGA? It seems like it should work, but I thought I'd ask before jumping in..
|
|
5/6/2009 11:25:38 AM
|
topic:
Beacon 3.0 Docs
jgorsky
Posts 5
|
The Beacon Configuration Guide for v3.0 is posted on the support site documentation page:
https://www.greatbayswsupport.com/documentation.php
Note that the StartUp Guides are now incorporated in the Configuration Guide (Chapter 4)--they are not separate docs as they were for version 2.1.8.
Enjoy!
|
|
5/6/2009 11:21:38 AM
|
topic:
Beacon 3.0 Docs
IT Sec tech
Posts 7
|
Is the documentation for Beacon 3.0 posted somewhere? We're anxious to upgrade, but I'd like to get prepared before leaping up to the new version.
|
|
4/29/2009 9:59:43 AM
|
topic:
Avaya IP phone and Cisco switch - LLDP vs. 1X/MAB
abeats
Posts 5
|
I recently had some experience working with 802.1X and Avaya IP phones at a customer site. Though we had some initial postive results configuring the Cisco switch to support LLDP communications with the Avaya (firmware v2.7 or greater, where LLDP support is built into the firmware) IP phone, the results were inconsistent. We were initially seeing LLDP immediately put the phone on the correct voice VLAN, but the phone would take upwards of three minutes to get its IP address and start up (and sometimes it would NEVER get an IP and would NEVER initialize). After fairly extensive testing and "knob turning", my current opinion is that LLDP on the Avaya IP phones and 802.1X on the Cisco switches don’t play nicely together. We finally reverted to MAC-Authentication-Bypass (MAB) on the Cisco switches, using Beacon's LDAP database as the authoritative (via RADIUS) authentication store for the Beacon-profiled Avaya IP phones. This solution works quickly, consistently and effectively - every time. Upon the Cisco switch MAC-authing the Avaya IP phone, the CiscoAVPair "device-traffic-class=voice" RADIUS return attribute drops the phone into the appropriate voice-vlan on the Cisco switch and everything works great.
|
|
4/21/2009 1:10:58 PM
|
topic:
Beacon's Role in Successful 802.1X Deployments
abeats
Posts 5
|
sacRyan, I was describing the few sites a while ago where Beacon had not been implemented (and also non-UAC sites) and where the customer wanted to specifically disable 802.1X on a few ports where non-EAP endpoints were deployed. Though we advised them - and they undertstood the ramifications - of the security hole this would open, the requirement remained on the table in order to ensure that these endpoints were granted some form of network access. Beacon certainly could have addressed this issue (as you suggested) by profiling these endpoints and MAC-authing them via RADIUS/Infranet Controller MAC-auth realm (thus allowing for consistent 802.1X port configurations enterprise-wide). These customers have since realized the drawbacks of attempting to deploy 802.1X without Beacon, and have (or are considering) deployed Beacon to address the issue of "disabling 1X on ANY port opens a significant security hole".
Hey, I've encountered an interesting scenario recently where one company didn't want corporate users to EVER land in the guest VLAN (thus circumventing the corporate network for potentially unscrupulous purposes). Beacon to the rescue! Let me know if you're interested in discussing that matter on a separate thread. 
|
|
4/1/2009 11:01:10 AM
|
topic:
Beacon's Role in Successful 802.1X Deployments
sacRyan
Posts 2
|
Beacon has been a great investment for knowing what was actually plugged in where on the network. Just like you said about your spreadsheets, our network diagrams were outdated and it could have caused a lot of grief to have to track down those issues with the desktop support team. However, with beacon in play, what devices are you seeing 802.1x not being enabled for? I ask as we are planning a global 802.1x role out using Beacon to authenticate any device that can't have the UAC client installed. --Thanks.
|
|
4/1/2009 10:55:58 AM
|
topic:
Services Shutting Down
sacRyan
Posts 2
|
We are working on a UAC deployment with Beacon appliances but are having issues with the server service stopping unexpectedly. Anyone else seen this or had similar issues?
--Thanks
|
|
3/26/2009 8:36:56 AM
|
topic:
Active Inquiry not working
gregschmitt31
Posts 2
|
Thanks for the reply!
I did narrow the range, and deslected the ping option, and the profile works.
I should know better, and should have checked the release notes!
Cheers,
Greg
|
|
3/25/2009 5:48:46 PM
|
topic:
Active Inquiry not working
jgorsky
Posts 5
|
Hi, I think you may be running into a documented issue with 2.1.8-37. Based on the presence of the "Ping Sweep" option in the NetInquiry module config in the screen shot. That option was removed in the -38 release of Profiler, and an issue with active inquiries on /16 networks was corrected.
I think upgrading to -38 will resolve your issue.
One other important point to consider with such a large range of host addresses for active data collection: This will result in the Collector with NetInquiry configured communicating with the hosts in that range (all 65K plus of them if my math is correct) at the frequency you have set in the Server module config.
You may want to consider scoping the active profiling a bit, and tightening your Network Blocks in the NetInquiry module config.
|
|
3/25/2009 2:05:04 PM
|
topic:
Active Inquiry not working
gregschmitt31
Posts 2
|
Greetings,
I'm trying to do an active tcp open port query using the netinquiry module to test for hp printers on port 9100. I have a MAC rule looking for Hewlett which works fine (50%), but the active TCP Port rule isn't. I am certain that there are printers on the /16 network I've defined, and I test connected to a printer on port 9100.
I've attached a word doc with screen captures of my configuration.
Any suggestions are greatly appreciated!
edited by gregschmitt31 on 3/25/2009
|
|
3/24/2009 11:51:10 AM
|
topic:
802.1X with VOIP phones (1 via EAP 1 via MAB)
tpowers
Posts 5
|
Hmm...this is a slightly loaded question. This method should work with any phone, but we have seen instances where even though the 802.1x supplicant on the phone was disabled, it still sent out EAP start frames disrupting the ability to MAC Auth Bypass. As far as the RADIUS attributes, there are Vendor Specific Attributes (VSA)s that upon authentication will inform the switch that the device is a voice device. I was specifically referring to Cisco's ACS previously, but other RADIUS servers provide support for these VSAs also. You would want to make sure before deciding to move forward. There are a lot of options as well as moving parts in an end-to-end 802.1x project. I'm not sure where you are in regards to this being a project, but in order to ensure success, you may want to engage with someone to lay out all of the options available to you and then assemble an 802.1x Statement of Work with specific deliverables.
Ty Powers
Blue Spruce Technologies, Inc.
|
|
3/23/2009 7:37:27 PM
|
topic:
802.1X with VOIP phones (1 via EAP 1 via MAB)
IT Sec tech
Posts 7
|
Thanks Ty,
Unless I misunderstand, your post seems to imply that this method will work regardless of the phone (Cisco, Nortel, Avaya, etc.), correct? Also, you mean RADIUS attributes need to be defined on the ACS server right?
|
|
pages:
1 2
|