POLL: 802.1x deployment
I'm tech-reading an upcoming book, and it makes the implication that 802.1x is not very widely deployed... which seems possibly an overly narrow view of the Real World. If you regularly use one or more 802.1x protected networks, could you take a moment to reply off-list, and tell me the size of the network (homelab, smb, enterprise, carrier), and, if you know, how long 802.1x has been deployed there? I'm also interested in whether any network you use has dropped .1x. I'll summarize to the list if there's interest. Thanks. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Hi, I´d suggest you to ask the guys from Enterasys mailing list. Sorry, couldn´t resist ;-) Michael P.S.: No, I don´t have 802.1x enabled on LAN for my users sitting in their offices.
If you regularly use one or more 802.1x protected networks, could you take a moment to reply off-list, and tell me the size of the network (homelab, smb, enterprise, carrier), and, if you know, how long 802.1x has been deployed there?
Surely you are joking, Mr. Ashworth. The entirety of eduroam is on 802.1X (better known as WPA Enterprise). That must be an 8-digit number of users. If you need a list of sites, start with http://en.wikipedia.org/wiki/Eduroam (but, aside from the US, it mostly lists just the countries). When you are done drilling down, there should be about 6500 names of sites on the list. If you are talking about wired .1X: It is relatively common for eduroam-enabled institutions to also provide publicly accessible wired ports controlled by .1X and connected to the same RADIUS servers. But I don't have any numbers at all.
I'm also interested in whether any network you use has dropped .1x.
eduroam deployment started in 2003. Your university academic computing environment would need to be pretty stupid to leave eduroam once it is deployed. But stranger things have happened. If your academic computing environment is not yet on eduroam, they still almost certainly use .1X for the wireless. Not all 100+ million students worldwide have access to on-campus WiFi, but nowadays most do. Grüße, Carsten
On 9/25/12, Carsten Bormann <cabo@tzi.org> wrote:
Surely you are joking, Mr. Ashworth. The entirety of eduroam is on 802.1X (better known as WPA Enterprise).
ding ding ding. WPA Ent wireless authentication calls upon 802.1X. And 802.1X wired port security is also a feature of many switches, and provides stronger protection than MAC-address based port security functionality; and 802.1x option may be used by at least some organizations, to protect against unauthorized connections to secure wired networks, and/or to force guests / salespeople / vendors plugging in their laptop, to be placed in a guest LAN; instead of gaining access to the company's secure internal network, if they sneak over to someone's desk, unplug the desktop, and plug in their laptop to attempt some covert network scanning..... Wired switch vendors don't add 802.1X to their switches for their health, it would be less expensive to make a product without the development effort to add the function; someone wants the feature. In this case, the remaining burden of proof should be on whomever wants to claim it's not widely deployed.
http://en.wikipedia.org/wiki/Eduroam (but, aside from the US, it mostly lists just the countries). When you are done drilling down, there should be about 6500 names of sites on the list.
eduroam deployment started in 2003.
Eduroam? What standard is that?
Grüße, Carsten
-JH
On Wed, 26 Sep 2012 00:37:38 +0200, Carsten Bormann said:
The entirety of eduroam is on 802.1X (better known as WPA Enterprise). That must be an 8-digit number of users. If you need a list of sites, start with http://en.wikipedia.org/wiki/Eduroam
However, that would be more a confederation of deployments than one single large deployment.
On Tue, 25 Sep 2012, Valdis.Kletnieks@vt.edu wrote:
On Wed, 26 Sep 2012 00:37:38 +0200, Carsten Bormann said:
The entirety of eduroam is on 802.1X (better known as WPA Enterprise). That must be an 8-digit number of users. If you need a list of sites, start with http://en.wikipedia.org/wiki/Eduroam
However, that would be more a confederation of deployments than one single large deployment.
But each participating institution (more than 5000 universities and research centres) deployed 802.1x in their premises. Big bonus that they work together seamlessly (inter organisation roaming and 802.1x usage). Have look at the official homepage of eduroam: http://www.eduroam.org/ Best Regards, Janos Mohacsi
That is quite impressive that 5,000 orgs got 802.1x working correctly in this fashion. I had a lot of questions how they handled auth, but it appears auth is distributed according to a roaming user's realm/domain suffix. https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-sit... Fairly decent wiki on their site, bet others would find this helpful for non-eduroam dot1x On Wed, Sep 26, 2012 at 12:27 AM, Mohacsi Janos <mohacsi@niif.hu> wrote:
On Tue, 25 Sep 2012, Valdis.Kletnieks@vt.edu wrote:
On Wed, 26 Sep 2012 00:37:38 +0200, Carsten Bormann said:
The entirety of eduroam is on 802.1X (better known as WPA Enterprise). That must be an 8-digit number of users. If you need a list of sites, start with http://en.wikipedia.org/wiki/Eduroam
However, that would be more a confederation of deployments than one single large deployment.
But each participating institution (more than 5000 universities and research centres) deployed 802.1x in their premises. Big bonus that they work together seamlessly (inter organisation roaming and 802.1x usage).
Have look at the official homepage of eduroam: http://www.eduroam.org/
Best Regards, Janos Mohacsi
-- Brent Jones brent@brentrjones.com
I've (re)sent this to the list as no-one else has noted it <g> Possibly a game-changer in the (academic) 802.1x space ... http://www.project-moonshot.org/diary http://www.painless-security.com/blog/
----- Original Message -----
From: "Peter J. Cherny" <peterc@luddite.com.au>
I've (re)sent this to the list as no-one else has noted it <g>
Possibly a game-changer in the (academic) 802.1x space ... http://www.project-moonshot.org/diary http://www.painless-security.com/blog/
I did see that come in, and was going to look into it more deeply tonight; if it is -- as it appears to be -- a framework for globally federated identification/authentication, then it will probably hit the same walls (of theory, not merely implementation) which other earlier attempts have hit: privacy and non-correlation being prime among them. It's orthogonal to 802.1x, though, unless anyone's shipping code to hook a dot1x server to it as you would, say, a Radius server. :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
participants (8)
-
Brent Jones
-
Carsten Bormann
-
Jay Ashworth
-
Jimmy Hess
-
Michael Muller
-
Mohacsi Janos
-
Peter J. Cherny
-
Valdis.Kletnieks@vt.edu