Skip to main content

Where are all the AAA and PKI solutions gone for Dot1x

More Question than answers


(This series will be based on an enterprise with >20,000 dot1x devices)

I have been looking into dot1x authentication for Wired and Wireless devices based on device identity using x.509 Certificates. While I understand PKI, AAA, PEAP and sorts I had never really had the opertunity to bring these technologies together. I quickly found out that despite this stuff being around for years,  it was difficult to answer the following questions:

  • Which PKI solution should I use?

  • Which AAA solution should I use?

  • How to setup the PKI solution?

  • Does the PKI server need to be part of AD?

  • What if the clients are not in AD e.g. Wireless Tablets?

  • How do I issue certificates for devices?

  • How to configure the devices (wired and wireless)?

  • What AAA server do I use?

  • How do configure the rules and policies and identify clients?


 

What are the answers?


I am going to kick off a series here at networking-guru.net that tries to address the question above; I have limited time but hopefully I can invest some over the coming weekends and share my thoughts with you.

  • Which PKI solution should I use?

  • Which AAA solution should I use?


These two question were pretty frustrating and I cannot say I am fully satisfied with the answer I have at the moment. Here are some brief thoughts:

For PKI solution I found it really difficult to identify any enterprise type products. Realistically I could only find Microsoft Certificate Authority. There are a few popular opensource solutions which personally I find quite interesting but it would be a hard sell for many enterprise customers. The other option is to use a external managed solution but again a very hard sell into the enterprise.

For AAA (RADIUS) there are a few:

  • Cisco ACS,

  • Cisco ISE (new kid on the block)

  • Juniper Steel Belted RADIUS

  • Microsoft IAS (lol)

  • FreeRADIUS


IAS and Free RADIUS are out off the bat, IAS because it is appalling, FreeRADIUS as its opensource and the mangeability is going to be tough for some of the less skill support desk staff that would inevatibilty have to support it.

Juniper Steel Belted - what I can tell from Juniper, it runs on Windows 2003 32bit, Sun Solaris or Redhat 4, all of these seem pretty long in the tooth and many enterprises are already running programmes to update these legacy systems so not really interesting in deploying legacy computing.

 

Cisco Alternatives - Cisco run on a Linux variant but it is fully hidden from the customer and is not a concern as any update will be within the maintenance cycle of the Cisco product and not with the OS vendor. This leave Cisco ACS or Cisco ISE. ISE appear to be is a coming together of various product based on ACS and NAC Profiler, one signification point is that there is no TACACS in the version 1 is the ISE product. I would expect at some future release to see TACACS be introduced into ISE and for ACS to grow old gracefully as there is total over lap on the RADIUS ability of both product.

 

ISE and Microsoft


So with that said putting cost aside ISE and Microsoft PKI is where I am going to take this series.

 

If you need a subnet calculator for you android devices then give this a try

https://play.google.com/store/apps/details?id=net.networkingguru.SubnetMasterRelease

 

 

Comments

Popular posts from this blog

ASR1006 Dual Route Processors Password Recovery - Tip

I recently ran into an issue when trying to perform dual route processors password recovery on a Cisco  ASR1006
Problem
After breaking into rommon mode and using confreg to ignore the startup configuration, during the rest the ASR1006 loaded the startup configuration!!!!!!!!
Solution
So quick and simple, I pulled one of the RP and preformed password recovery running on a single RP. All went according to the Cisco documentation

http://www.cisco.com/en/US/docs/routers/asr1000/install/guide/routers/asr1_hwc.html#wp1045971



After the system running on a single RP was recovered and fully booted I waiting for 5 minutes just to be sure; then I inserted the second RP and allowed everything to sync up.



All was well again :) phew



Note: The system was previously fully functioning with dual RPs; a configuration error was made during Tacacs+ configuration which resulted in lockout.


Summary
I hit an issue recovering and ASR with dual RPs, so rather that spending hour researching, I decided very quickly to go …

NetGuruSubnetCalc

This is a straightforward no nonsense Subnet Calculator. It does however allow you to pull up the subnet information you have been working on in the iPhone Todays Widget View. This means that the subnet information is just a slide away.




Developed my me. Now Available

http://itunes.apple.com/gb/app/id941632787

From IOS to Junos – JNCIA Result - PASS

I done the exam, and I am please to say I passed. So the lab-ing and the two PDFs

JNCIA-Junos_SG_part_1_09-16-2010.pdf
JNCIA-Junos_SG_part_2_09-16-2010.pdf

And a bit of surfing the web were enough. That is not to say everything in the exam was familiar, I did have to think seriously about some questions which puzzled me.
So the next step will be to go for specialist, but because of workload, it's going to take a little longer that 15 Days.