Announcement

Collapse
No announcement yet.

OS X 802.1x client (not user) authentication, is it possible?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • OS X 802.1x client (not user) authentication, is it possible?

    Hi,

    First time poster.

    Does anyone know if an OS X client can 802.1x authenticate? Windows clients do it very happily.

    I can get the user to authenticate no problem. But it would be useful (and more secure) if we can spot our own OS X clients (currently added to w2k3 active directory).

  • #2
    Re: OS X 802.1x client (not user) authentication, is it possible?



    http://www.google.com/search?q=os+x+802.1x+client


    The very first link looks good!
    http://www.uic.edu/depts/accc/networ...less/macx.html

    Good ol' UIC!

    Also, straight from the Apple's mouth:
    http://docs.info.apple.com/article.html?artnum=303471
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: OS X 802.1x client (not user) authentication, is it possible?

      Originally posted by Nonapeptide View Post

      Hi, Thanks for your reply. unfortunately all those examples are how to authenticate a user and not the actual device. I can get the user to authenticate fine. However, for added security I want the option to only allow a known device onto our internal vlans. All other device can get guest permissions.

      Comment


      • #4
        Re: OS X 802.1x client (not user) authentication, is it possible?

        Oh, that would make quite a difference.

        I hang my head in shame.
        Wesley David
        LinkedIn | Careers 2.0
        -------------------------------
        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
        Vendor Neutral Certifications: CWNA
        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

        Comment


        • #5
          Re: OS X 802.1x client (not user) authentication, is it possible?

          How about a MAC based ACL on the switch instead of 802.1x? Not as robust but it might get the job done for you. Just a thought.
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #6
            Re: OS X 802.1x client (not user) authentication, is it possible?

            I can not say much about OSX, however, for windows environment you can do the following:

            Auto VLAN, which is an enhancement to the basic Network Login (802.1X) feature. It will allow appropriate VLAN configuration to be obtained from a RADIUS server when a user authenticates. The configuration obtained will be specific to the user authenticated on the port.
            Auto ACL & QoS Assignment are also further enhancements to the basic 802.1X Login feature. They will allow appropriate ACL and QoS configurations to be obtained from a RADIUS server when a user authenticates. The configuration obtained will be specific to the user authenticated on the port.

            RADIUS VLAN Assignment:
            All three attributes must be included in the RADIUS access-response message for the VLAN to be assigned.

            RADIUS ACL Assignment:
            The Filter-ID is encoded as a string containing “ACL-number” where the ACL-number is the number of an ACL configured on the switch.

            RADIUS QoS Assignment:
            The Filter-ID is encoded as a string containing “profile-name” where the “profile-name” is the name configured on the switch. The attribute contains the name of the profile not the profile identifier number.

            Maybe an alternative, concerning your question, when there can not be a 802.1X supplicant, eg because it is not compliant to the network login feature, then you can always use MAC Address Authentication.
            I even know, switches which extend 802.1X and MAC authentication by using port security, which is a security mechanism to control network access. This scheme controls the incoming/outgoing packets on port by checking the MAC addresses contained in data frames, and provides multiple security and authentication
            modes;
            What can be provided with port security is the following features:

            NTK: Need to Know feature. By way of checking the destination MAC addresses of the data frames to be sent from a port, this feature ensures that only successfully authenticated devices can obtain data frames from the port so as to prevent illegal devices from filching network data.

            Intrusion Protection: By way of checking the source MAC addresses of the data frames received on a port, this feature discovers illegal packets and takes appropriate action (temporarily/permanently disabling the port, or filtering out the packets with these MAC addresses) to guarantee the security on the port.

            Device Tracking: This feature enables the switch to send trap messages in case special data packets (generated by special actions such as illegal intrusion, and abnormal user logon/logoff) pass through a port, thus helping the network administrator monitor these special actions.

            Binding of MAC and IP addresses to ports: This feature enables you to bind the MAC and IP addresses of legal users to specific ports on the switch so that only legal user’s packets can pass through the corresponding ports, thus improving the security of the system.

            Hope this helps!

            Comment

            Working...
            X