We'd like to enable 802.1X in our current network, but as there's lot's of devices that we don't yet have in our AD/RADIUS server database so we'd need to allow everything in the beginning. There's also lots of devices that don't support 802.1X so we'll need MAB. What do you think is the best practice enabling authentication with minimal interruption? I can think of three different options:
1) First try 802.1X and fall back to MAB after 20 seconds, RADIUS server either responds with correct User-Name (if the device is found in the databases) or just send Access-Accept. Later when we have everything in the DBs we'll switch to default deny.
What would happen if the device takes longer than 20 seconds to initialize 802.1X supplicant after link up and has already received Access-Accept for MAB?
2) Enable 802.1X and MAC auth simultaneously
MAC auth seems to be faster, what would happen if the device gets accepted to network based on MAC auth and then tries to do 802.1X authentication?
3) Enable 802.1X and MAC auth simultaneously but RADIUS server doesn't respond anything to unknown MAC address requests. After timeout switch would allow traffic in the VLAN that's configured on the port
Not sure if this is possible or reasonable option.
We'd use dynamic VLANs for everything we can recognize, and almost all devices get their IP addresses from DHCP.
Thanks for any ideas!
No comments:
Post a Comment