Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Wireless Networking > 802.1x wireless versus wired

Reply
Thread Tools

802.1x wireless versus wired

 
 
Wimbo
Guest
Posts: n/a
 
      02-08-2006
Hello,

we have a network environment constisting of wireless AP and 'normal' wired
access. We use 802.1x successfully for our domain users. The authentication
method used is EAP-TLS.

Components used: AD,Enterprise CA, Windows 2003 servers, MS IAS and Windows
XP SP2 PC's

We now want to extend the 802.1x security to our wired switches (Cisco 35xx
I thought). These switches support 802.1x authentication and at first
everything seems to work fine.

However;
there seems to be a difference between 802.1x wireless and the wired
equivalent. With wireless we have both machine AND user authenication and
this works perfectly. The need for this is that the machine can log-on to
the domain without the need of a user logged on. This is helpfull in
spreading updates etc. to these machines. This also solves the problem that
when a user logs on, that there isn't a DC around (cause the network link
is still down)
The same is needed for the wired machines. But when we investigated the
logon and authenticaion process, it seems that on wired PC's only machine
authentication is done, and that user authentication is skipped somehow.

This behaviour is kiling for so-called userbased VLAN's (which would be the
next step). This would enables us to let the IT logon to any PC in the
network and be directed to the appropriate (management) VLAN.

B.t.w. this user-based VLAN (SSID) thing does work with wireless clients.

I found some articles on the EAP behaviours of XP, but this issue isn't
mentioned. Anyone else have any ideas?

Regards,

Willem

 
Reply With Quote
 
 
 
 
Pavel A.
Guest
Posts: n/a
 
      02-11-2006
There is an opinion that for wired network ipsec is much better than 1x.

--PA

"Wimbo" <wimbo_online@_REMOVETHIS_hotmail.com> wrote in message news:iwpGf.177$(E-Mail Removed)...
> Hello,
>
> we have a network environment constisting of wireless AP and 'normal' wired
> access. We use 802.1x successfully for our domain users. The authentication
> method used is EAP-TLS.
>
> Components used: AD,Enterprise CA, Windows 2003 servers, MS IAS and Windows
> XP SP2 PC's
>
> We now want to extend the 802.1x security to our wired switches (Cisco 35xx
> I thought). These switches support 802.1x authentication and at first
> everything seems to work fine.
>
> However;
> there seems to be a difference between 802.1x wireless and the wired
> equivalent. With wireless we have both machine AND user authenication and
> this works perfectly. The need for this is that the machine can log-on to
> the domain without the need of a user logged on. This is helpfull in
> spreading updates etc. to these machines. This also solves the problem that
> when a user logs on, that there isn't a DC around (cause the network link
> is still down)
> The same is needed for the wired machines. But when we investigated the
> logon and authenticaion process, it seems that on wired PC's only machine
> authentication is done, and that user authentication is skipped somehow.
>
> This behaviour is kiling for so-called userbased VLAN's (which would be the
> next step). This would enables us to let the IT logon to any PC in the
> network and be directed to the appropriate (management) VLAN.
>
> B.t.w. this user-based VLAN (SSID) thing does work with wireless clients.
>
> I found some articles on the EAP behaviours of XP, but this issue isn't
> mentioned. Anyone else have any ideas?
>
> Regards,
>
> Willem
>



 
Reply With Quote
 
 
 
 
Wimbo
Guest
Posts: n/a
 
      02-13-2006
Pavel A. wrote:
> There is an opinion that for wired network ipsec is much better than 1x.
>
> --PA


I know that just 802.1x is *not* THE solution for secure network access.
However, the behaviour which occurs now makes it impossible to use
user-based vlans with wired 802.1x, because the user never gets authenticated.

I also contacted the switch (3750) vendor (Cisco), if they have any
experience with this. I doubt that I will receive any usable info, because
the EAPOL messages never seem to be sent from the computer. Hence making it
a PC/NIC/OS issue. The NIC has the latest drivers installed and the OS
(WinXP Pro SP2) has all available patches etc.
Since computer authentication, and user authentication works properly
seperately, but the combination of the two fails on wired, I'm guessing an
OS problem.

Correct me if my assumptions are incorrect.

Willem

>
> "Wimbo" <wimbo_online@_REMOVETHIS_hotmail.com> wrote in message news:iwpGf.177$(E-Mail Removed)...
>> Hello,
>>
>> we have a network environment constisting of wireless AP and 'normal' wired
>> access. We use 802.1x successfully for our domain users. The authentication
>> method used is EAP-TLS.
>>
>> Components used: AD,Enterprise CA, Windows 2003 servers, MS IAS and Windows
>> XP SP2 PC's
>>
>> We now want to extend the 802.1x security to our wired switches (Cisco 35xx
>> I thought). These switches support 802.1x authentication and at first
>> everything seems to work fine.
>>
>> However;
>> there seems to be a difference between 802.1x wireless and the wired
>> equivalent. With wireless we have both machine AND user authenication and
>> this works perfectly. The need for this is that the machine can log-on to
>> the domain without the need of a user logged on. This is helpfull in
>> spreading updates etc. to these machines. This also solves the problem that
>> when a user logs on, that there isn't a DC around (cause the network link
>> is still down)
>> The same is needed for the wired machines. But when we investigated the
>> logon and authenticaion process, it seems that on wired PC's only machine
>> authentication is done, and that user authentication is skipped somehow.
>>
>> This behaviour is kiling for so-called userbased VLAN's (which would be the
>> next step). This would enables us to let the IT logon to any PC in the
>> network and be directed to the appropriate (management) VLAN.
>>
>> B.t.w. this user-based VLAN (SSID) thing does work with wireless clients.
>>
>> I found some articles on the EAP behaviours of XP, but this issue isn't
>> mentioned. Anyone else have any ideas?
>>
>> Regards,
>>
>> Willem
>>

>
>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Mozilla versus IE versus Opera versus Safari Peter Potamus the Purple Hippo Firefox 0 05-08-2008 12:56 PM
equal? versus eql? versus == versus === verus <=> Paul Butcher Ruby 12 11-28-2007 06:06 AM
Wireless can't see Wired, Wired Can't Access Wireless UFGrayMatter Wireless Networking 0 08-14-2006 01:26 AM
wireless can't access wired. But Wired can access wireless =?Utf-8?B?ZGZhdG92aWM=?= Wireless Networking 5 02-05-2005 08:07 AM
Wired Tools of 2004 from Wired magazine : the Cameras !!! Mike Henley Digital Photography 0 12-06-2004 02:32 AM



Advertisments