Skip to main content

Where are all the AAA and PKI solutions gone for Dot1x

More Question than answers


(This series will be based on an enterprise with >20,000 dot1x devices)

I have been looking into dot1x authentication for Wired and Wireless devices based on device identity using x.509 Certificates. While I understand PKI, AAA, PEAP and sorts I had never really had the opertunity to bring these technologies together. I quickly found out that despite this stuff being around for years,  it was difficult to answer the following questions:

  • Which PKI solution should I use?

  • Which AAA solution should I use?

  • How to setup the PKI solution?

  • Does the PKI server need to be part of AD?

  • What if the clients are not in AD e.g. Wireless Tablets?

  • How do I issue certificates for devices?

  • How to configure the devices (wired and wireless)?

  • What AAA server do I use?

  • How do configure the rules and policies and identify clients?


 

What are the answers?


I am going to kick off a series here at networking-guru.net that tries to address the question above; I have limited time but hopefully I can invest some over the coming weekends and share my thoughts with you.

  • Which PKI solution should I use?

  • Which AAA solution should I use?


These two question were pretty frustrating and I cannot say I am fully satisfied with the answer I have at the moment. Here are some brief thoughts:

For PKI solution I found it really difficult to identify any enterprise type products. Realistically I could only find Microsoft Certificate Authority. There are a few popular opensource solutions which personally I find quite interesting but it would be a hard sell for many enterprise customers. The other option is to use a external managed solution but again a very hard sell into the enterprise.

For AAA (RADIUS) there are a few:

  • Cisco ACS,

  • Cisco ISE (new kid on the block)

  • Juniper Steel Belted RADIUS

  • Microsoft IAS (lol)

  • FreeRADIUS


IAS and Free RADIUS are out off the bat, IAS because it is appalling, FreeRADIUS as its opensource and the mangeability is going to be tough for some of the less skill support desk staff that would inevatibilty have to support it.

Juniper Steel Belted - what I can tell from Juniper, it runs on Windows 2003 32bit, Sun Solaris or Redhat 4, all of these seem pretty long in the tooth and many enterprises are already running programmes to update these legacy systems so not really interesting in deploying legacy computing.

 

Cisco Alternatives - Cisco run on a Linux variant but it is fully hidden from the customer and is not a concern as any update will be within the maintenance cycle of the Cisco product and not with the OS vendor. This leave Cisco ACS or Cisco ISE. ISE appear to be is a coming together of various product based on ACS and NAC Profiler, one signification point is that there is no TACACS in the version 1 is the ISE product. I would expect at some future release to see TACACS be introduced into ISE and for ACS to grow old gracefully as there is total over lap on the RADIUS ability of both product.

 

ISE and Microsoft


So with that said putting cost aside ISE and Microsoft PKI is where I am going to take this series.

 

If you need a subnet calculator for you android devices then give this a try

https://play.google.com/store/apps/details?id=net.networkingguru.SubnetMasterRelease

 

 

Comments


  1. Having read this I believed it was rather informative. I appreciate you taking the time and effort to put this information together. I once again find myself spending a lot of time both reading and commenting. But so what, it was still worth it! hotmail email sign in

    ReplyDelete
  2. I am very thankful to you for sharing this excellent knowledge. This information is helpful for everyone. So please always share this kind of information. Thanks. Alert Logic Charlotte

    ReplyDelete

Post a Comment

Popular posts from this blog

VMWARE ESXi 5.0 Command line quickies

Hi, It has been a long time since my last posts, but recently I have been working on my home ESXi lab so I thought I would share. I switched over to using Apple Mac just over a year ago, so I don't have a windows machine running by default to run the vSphere client software and generally all I want to do is startup VMs and switch off the ESXi server when I am done. I did some searching and found that I could use vmware vim-cmd if I SSHed into the ESXi server. This need to be enabled at the console, then you can use putty or your tool of choice to connect. Anyway there are several commands the following to me are most useful. List all Virtual Machines vim-cmd vmsvc/getallvms Get a Virtual Machines state (on/off etc) vim-cmd  vmsvc/power.getstate Power on a virtual machine vim-cmd vmsvc/power.on Combining command to a one liner you can find out the power on state of all Virtual Machines vim-cmd vmsvc/getallvms && for x in `vim-cmd vmsvc/getallvms|

ASR1006 Dual Route Processors Password Recovery - Tip

I recently ran into an issue when trying to perform dual route processors password recovery on a Cisco  ASR1006 Problem After breaking into rommon mode and using confreg to ignore the startup configuration, during the rest the ASR1006 loaded the startup configuration!!!!!!!! Solution So quick and simple, I pulled one of the RP and preformed password recovery running on a single RP. All went according to the Cisco documentation http://www.cisco.com/en/US/docs/routers/asr1000/install/guide/routers/asr1_hwc.html#wp1045971   After the system running on a single RP was recovered and fully booted I waiting for 5 minutes just to be sure; then I inserted the second RP and allowed everything to sync up.   All was well again :) phew   Note: The system was previously fully functioning with dual RPs; a configuration error was made during Tacacs+ configuration which resulted in lockout.   Summary I hit an issue recovering and ASR with dual RPs, so rather that spending hour researching, I decided ve

Break the Network Emulators out of the Cloud

Cisco IOU and JunoSphere Recently both Cisco and Juniper have announced the availability of online resources to provide hands on training over the internet. They have built software emulators in the cloud that can be accessed remotely for a cost. These solutions are based purely around the certification programs and therefore are pretty rigid in the topology that are provided, not to mention the re-occurring cost. http://www.juniper.net/us/en/company/press-center/press-releases/2011/pr_2011_05_16-03_01.html https://learningnetworkstore.cisco.com/market/prod/listSubCatLearnLab.se.work?TRGT=85&/nxt/rcrs/=2559 Rack Rentals There are training providers such as Internetwork Expert (http://www.ine.com/) and IPexpert (http://www.ipexpert.com/) who provide rack rentals based on their training materials. These guy cannot possibly compete going forward. To keep these sustainable they will need to reduce the overhead of building physical racks, providing power and space for the racks. Using e