More Question than answers
(This series will be based on an enterprise with >20,000 dot1x devices)
I have been looking into dot1x authentication for Wired and Wireless devices based on device identity using x.509 Certificates. While I understand PKI, AAA, PEAP and sorts I had never really had the opertunity to bring these technologies together. I quickly found out that despite this stuff being around for years, it was difficult to answer the following questions:
- Which PKI solution should I use?
- Which AAA solution should I use?
- How to setup the PKI solution?
- Does the PKI server need to be part of AD?
- What if the clients are not in AD e.g. Wireless Tablets?
- How do I issue certificates for devices?
- How to configure the devices (wired and wireless)?
- What AAA server do I use?
- How do configure the rules and policies and identify clients?
What are the answers?
I am going to kick off a series here at networking-guru.net that tries to address the question above; I have limited time but hopefully I can invest some over the coming weekends and share my thoughts with you.
- Which PKI solution should I use?
- Which AAA solution should I use?
These two question were pretty frustrating and I cannot say I am fully satisfied with the answer I have at the moment. Here are some brief thoughts:
For PKI solution I found it really difficult to identify any enterprise type products. Realistically I could only find Microsoft Certificate Authority. There are a few popular opensource solutions which personally I find quite interesting but it would be a hard sell for many enterprise customers. The other option is to use a external managed solution but again a very hard sell into the enterprise.
For AAA (RADIUS) there are a few:
- Cisco ACS,
- Cisco ISE (new kid on the block)
- Juniper Steel Belted RADIUS
- Microsoft IAS (lol)
- FreeRADIUS
IAS and Free RADIUS are out off the bat, IAS because it is appalling, FreeRADIUS as its opensource and the mangeability is going to be tough for some of the less skill support desk staff that would inevatibilty have to support it.
Juniper Steel Belted – what I can tell from Juniper, it runs on Windows 2003 32bit, Sun Solaris or Redhat 4, all of these seem pretty long in the tooth and many enterprises are already running programmes to update these legacy systems so not really interesting in deploying legacy computing.
Cisco Alternatives - Cisco run on a Linux variant but it is fully hidden from the customer and is not a concern as any update will be within the maintenance cycle of the Cisco product and not with the OS vendor. This leave Cisco ACS or Cisco ISE. ISE appear to be is a coming together of various product based on ACS and NAC Profiler, one signification point is that there is no TACACS in the version 1 is the ISE product. I would expect at some future release to see TACACS be introduced into ISE and for ACS to grow old gracefully as there is total over lap on the RADIUS ability of both product.
ISE and Microsoft
So with that said putting cost aside ISE and Microsoft PKI is where I am going to take this series.
Keep watching for future updates.
If you need a subnet calculator for you android devices then give this a try
https://play.google.com/store/apps/details?id=net.networkingguru.SubnetMasterRelease
Recent Comments