0

I'm researching the feasibility of implementing 802.1x port security on my wired network. The supplicants will be Windows 7 PCs. The authenticator will be Cisco and Juniper switches. I'm thinking about using PacketFence as the authentication server.

With 802.1x enabled, would it be possible to push patches out to the Windows PCs and perform security scans on them while nobody's logged in to them? My understanding about 802.1x is that the PCs will be denied network access until a user authenticates. If that's the case, then I wouldn't even be able to ping the PCs, let alone patch and scan them, right? Any agents running on the PCs also would not be able to get out on the network unless a user is logged in.

Am I understanding this correctly, or is there some way to have 802.1x and still manage the PCs remotely when a user is not logged on?

  • Once a client is connected with 802.1x, it remains connected until the link is broken. This is a major security flaw in 802.1x. If a user connects with a PC, and the PC is not shut down or rebooted, even if the user is logged off, you could perform patching. – Ron Maupin Apr 01 '16 at 17:51
  • Here is a [PDF](https://www.defcon.org/images/defcon-19/dc-19-presentations/Duckwall/DEFCON-19-Duckwall-Bridge-Too-Far.pdf) which discusses the problem of 802.1x only authenticating once, then allowing traffic from the MAC address until the connection is broken. – Ron Maupin Apr 01 '16 at 20:42

2 Answers2

1

It depends how you deploy 802.1x.

In our company we deployed 802.1x using EAP-TLS with Machine Certificates. The certificate used for the authentication is installed in the computer store. That means we can still manage the device even when the user is logged off in the wired or wireless network. If we would have used user certificates or any other user based authentication that wouldn't have been possible.

Jofre
  • 549
  • 1
  • 4
  • 11
  • Ah, that makes sense. I was originally thinking to use user certs, but machine certs sounds like the way to go. Another suggestion I got was to configure an auth-fail VLAN on the switch. When a user fails 802.1x authentication, the PC would get dumped into a VLAN with restricted services. –  Apr 01 '16 at 19:02
  • We have two configurations depending on the port location, we either block the port or dump the user to a "guest" network, with password protected access to the Internet (and also access to some VPN concentrators). This is used by visitors and unmanaged devices. – Jofre Apr 01 '16 at 19:56
0

You can authenticate the user or the PC. If it is the PC, it is connected to the network without any prompted information. You can access to it if noone is connected on it. You need to check the authentication method on the network panel.

Dom
  • 6,743
  • 1
  • 20
  • 24