You are here

802.1X and RADIUS

Project ID: 
30
Current stage: 
Manager: 
Unit: 
What: 

Description: 802.1X is a standard mechanism for network authentication. Based on
the credentials passed by the user, the port or wireless connection may
be encrypted in various ways or configured onto a VLAN with the
access rights considered appropriate.

802.1X supplicants come built-in to Windows, and are freely available
for Linux.

RADIUS is the usual back-end protocol
used for this authentication, authorisation and accounting.
A strong audit trail follows naturally from these mechanisms.

Deliverables:

  1. Review of 802.1X technology, and how its deployment around the
    University in general and within Informatics in particular might affect us.
  2. Recommendations for authentication options to be used, based on
    protocol constraints, local requirements, and exact OS support.
  3. Pilot RADIUS service to try out some options.

Note that it is NOT intended to produce a full production service as part
of this project (unless it drops out naturally from the evaluation and
testing work).

Why: 

Customer: Initially anyone with a laptop or self-managed machine.

Case statement: There are three drivers for this project:

  1. EUCS are looking to deploy 802.1X network login authentication on the
    wireless access points which they manage. The aims are to allow less
    heavily restricted access to authenticated users, to encrypt the wireless
    traffic using negotiated parameters, and to participate in various
    visitor-access schemes. At the very least we need to see how our own APs
    fit into this framework.
  2. The availability of 802.1X network authentication would allow us to tidy
    up some of the rough edges in our self-managed network port provision.
  3. It looks possible that our deployment of IP phones in the new building
    might be simplified by the availability of 802.1X,
    but more work is needed to see whether this is a
    mirage or some useful reality.

Note that the APs we manage will not be able to offer access to
"eduroam" or the like without 802.1X being enabled.

When: 

Status: Stalled until spring 2008, by which time the next major release of FreeRADIUS
should have appeared, and the wireless situation in the Forum may be a bit
clearer.

Timescales:

Priority:

Time:

How: 

Proposal:

Resources:

  1. 2-3 weeks of some suitably experienced person's time
  2. It should be possible to piggy-back the pilot RADIUS service on a couple
    of existing machines. If it looks as though this will develop into a
    full service then dedicated servers with UPSes would be needed, though
    there probably isn't a great requirement for CPU power or disc throughput
    given our likely load.

Plan:

Other: 

Dependencies: Some of our older switches do not speak 802.1X, but we do not expect to
be redeploying them in outward-facing roles in either the new building or
the refurbished Appleton Tower. Most recent ones do, and
802.1X and RADIUS will be requirements for any new switches.

Risks:

URL: http://www.dice.inf.ed.ac.uk/units/infrastructure/Projects/06-dot1X.html |

Milestones

Proposed date Achieved date Name Description
2007-09-24 FReval Evaluate FreeRadius and possible hardware requirements.