[tech] Problems with 802.1x wireless (Was: Port security for clubroom wall ports)

[Matt Didcoe]

This brings up another problem though which was highlighted to me by
[BOB], which is that some of our members computers don't support
802.1x authentication to SSID UCC correctly - which is why they use
the wired ports connected to desktops.

I don't have an immediate solution to that problem and over recent
time I've heard of less and less issues with it as people upgrade to
an operating system that has correct support (or that at least has
workarounds to get it going...maybe I'm just not spending enough time
in the clubroom though).

[TRS] suggested implementing something like PacketFence[1], but
investigations suggested that OpenWRT/DD-WRT do not support dynamic
VLAN assignment via radius (other users of PacketFence appear to have
run into this issue), which kind of renders the solution pointless. I
do like the idea though as it adds a GUI to help people when they get
stuck along the way. As discussed on IRC last night, a lot of it could
well be implemented just using IOS on Bitumen, but if someone messes
up, there's nothing to flag that and explain how to put it right (I
also think we'd still run into the dynamic VLAN issue).

We could fix that by buying "enterprise"(TM) wireless gear - or
something that at least has a broader feature set, but its whether its
worth going through all that.

Open to thoughts on what we can do to (a) make the wireless easier for
people that have dodgy support for authentication; or (b) a system
where we can do some other form of auth that will allow people on in
the event they do not have 802.1x support.

Cheers,
[MRD]

[1] http://www.packetfence.org/home.html

On Mon, Sep 10, 2012 at 6:33 PM, Matt Didcoe <mattman at ucc.gu.uwa.edu.au> wrote:
> Hi,
>
> I got a bit fed up with going into the clubroom and attempting to use
> a desktop machine, only to discover some inconsiderate person/persons
> had removed the network cable to use with their laptop and failed to
> return it.
>
> As a complete over-reaction and rather than fixing the social problem
> at hand, much is the way we handle things at UCC, I've implemented a
> broad technical solution that may or may not work!
>
> MAC based port security is configured on bitumen for Gi7/1-48 which is
> all the clubroom ports. Gi7/19 is slightly different as that's got the
> little hub over on the shelves attached, which has `switchport
> port-security maximum 10` set, which means that 10 MAC addresses can
> be associated with that port.
>
> I'll monitor the situation for a few days and see if we get any
> complaints. If we do its easy enough to revert. Anyone interested in
> the rest of the config (there's only a couple of other lines) at
> rancid.
>
> Cheers,
> [MRD]