?
Solved

802.1x authentication - MAC address Plus user entered credentials

Posted on 2014-08-20
4
Medium Priority
?
709 Views
Last Modified: 2014-08-21
I'm working on a project where we will be using Meraki equipment. We want there to be a single SSID throughout the entire project. When a user with their device connects to the common SSID and WPA PSK, they will be prompted for their username and password. This authentication will place them on their assigned VLAN within the network which will allow them to communicate only with their equipment but still be able to roam where ever. This prevents the need to have 100 + SSIDs, one for each account. The only issue I am seeing is with some wireless devices that do not support 802.1x authentication. They only support standard WPA2. How can I configure a server to look at the MAC address of the device if it is incapable of the username/password entry and allow it on a specific VLAN but sill keep the functionality of having users enter in the username/password from their mobile devices?

I will have some kind of LDAP or Active Directory server in place to maintain the user accounts and to function as a radius server.

Thanks!
0
Comment
Question by:farroar
  • 2
  • 2
4 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40276147
You probably want to look at NAC solutions like ForeScout. Also why in the world would you need 100's of SSID's? Typicaly companies have two, one for guest's and one for employees. The Guest SSID only allows internet access, the employee SSID allows those users with a user/pass into the network. You can then use the MAC address and or 802.1x to place the users into Vlans, or apply rules/filters to their Mac/IP. I've not run into many devices that are wireless and don't support 802.1x, except for dumb devices like printers. Phones, PDA's, Tablet's, even gaming systems typically support 802.1x. In the cases where it's not supported, you make exceptions based on the Mac address.
-rich
0
 

Author Comment

by:farroar
ID: 40276236
Thanks for the input Rich. The design is for a large residential MDU. Many users who require individual subnets each but with a common infrastructure. These are "smart homes" that have many of their internal devices controlled via mobile apps. If each unit had their own SSID, it would be far too complicated to implement and manage considering they specifics of the requirements for each unit. There are wireless thermostats in each unit that will be controlled by the user and need to be on their subnet only. These do not accept 802.1x authentication. I would need these dumb devices to be authenticated based on their MAC address and all other devices if they are capable to use user/pass credentials. The whole system will allow them to roam around the entire campus and access the WLAN on their subnet as well as monitor and control their own equipment.

If you are saying I can do both MAC and 802.1x then that is what I'm looking for. I was concerned that it was one or the other and not both. I have been looking into the Cisco ISE server to manage the policies but I'll have to look into ForeScout as well. The system is mainly Meraki and is cloud SDN basically. They have their own features for access control but not as granular as we would like.

If I were to authenticate off of a NAC like ForeScout or ISE, I would want to be able to:

1.Identify the user based on user/pass credentials or MAC address
2.Compare the user / MAC against a policy that specifies attributes including
     -Assigned VLAN
     -Bandwidth Limitations
     -Content control

Is this something that ForeScount can do?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 40276443
Yes. Get a demo from them, there are others, but after investigating NAC for the past 5 years, they are the only one I'd even consider. As a security professional, I am glad to see these steps being taken for this newer home trend, but it's not enough :( Mac's can be spoffed, and these devices that talk WPA(2) and blue-tooth(so the phone apps can control them) and other protocols are not (yet)very secure
https://www.youtube.com/watch?v=LYAMKB-MmyM
http://www.networkworld.com/article/2224849/microsoft-subnet/hacking-and-attacking-automated-homes.html
http://www.wired.com/2014/07/hacking-hotel-room-controls/
https://www.blackhat.com/docs/us-14/materials/us-14-Jin-Smart-Nest-Thermostat-A-Smart-Spy-In-Your-Home.pdf
https://www.defcon.org/images/defcon-21/dc-21-presentations/Crowley-Panel/DEFCON-21-Crowley-Savage-Bryan-Home-Invasion-2.0.pdf

I think you'll have good results working with ForeScout, the others that might be worth looking into are:
http://forums.juniper.net/t5/image/serverpage/image-id/3551iE2089EB1AB8284A5

**edited to add this, just now:
http://securelist.com/analysis/publications/66207/iot-how-i-hacked-my-home/
-rich
0
 

Author Comment

by:farroar
ID: 40276530
Thanks for that. I agree and as a security "guy" in networking, I am concerned with this as well. A lot of planning needs to be done in order to maintain security with all of these IoT devices. It would be great if we could use some of the other technologies but in this case it isn't possible. Each unit will have a control processor and this processor serves up the UI for the mobile devices as well as sends the commands to all of the controlled devices in the home. That would include lighting, AV, HVAC, Shades, security, etc... It is a great solution for home control and is on the higher end of the products available on the market. It requires that all devices be connected via wired or wireless Ethernet. This deployment is unique and hopefully it will be a kind of benchmark for the way a large MDU can be brought into the smart home arena.

Thanks!
0

Featured Post

Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses
Course of the Month16 days, 19 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question