Let's say I have an office where each RJ45 jack needs to support 4 computers. Each of those RJ45 jacks is connected to one port on a 24 port managed switch in the networking closet. However, we also need to use 5 port switches between the wall jack and the 4 computers.
Which of the following options is the best way to implement 802.1x?
- Option A)
Buy a 24 port managed switch with 802.1x support. Find some managed 5 port switches, where they can both authenticate to the parent switch, as well as authenticating their own ports with clients. I don't know if this kind of 802.1x daisy-chaining is possible, so please let me know. But this way, no-one could plug in a hub between the wall jack and the 5 port switch to get unauthenticated access to the network.
- Option B)
Buy a managed, 48 port switch, and lock it in the networking closet. Re-wire the office so that we have groups of 4 wall jacks instead of 1, and remove the intermediate 5 port switches. This way, each port will be authenticated with 802.1x, and someone would have to break into the networking closet to gain access to the internal network.
- Option C)
Keep the 24 port unmanaged switch that we're currently using in the network closet, but buy managed 5 port switches that support 802.1x. Remove the wall jacks and plug the cables directly into the managed switches, plug each of the computers into the switches, and then lock the switches inside tamper-proof boxes. This way, no-one can easily gain access to the unauthenticated ethernet connection, at least without cutting into network cables.
In each of these cases we will have ARP spoofing protection, and will shut down the port if it detects suspicious activity.
Please let me know which option you think is best, or if you can think of an even better solution. We've just rolled out 802.1x for wifi, but our current network topology makes wired 802.1x quite difficult to implement.
Best Answer
I don't know of any switches that are 802.1x supplicants, so Option A is probably out. So between Options B and C, the primary difference is cost. I imagine rewiring your office is both expensive and disruptive, vs the cost and the hassle of managing all those new switches.
The real question you should be asking is, what threat am I defending against, and what is the real risk? Are you really worried that someone might sneak into your building (I have no idea what kind of office you're in or where it is) and plug in an unknown device? Why would they do that? The question should not be "is it possible," but "is it a significant risk worth the cost of rewiring or buying new switches?"
As an example, in the office I'm currently working (a quasi-government agency), we do not have 802.1x. In theory, anyone can plug a device into the network. But in order to do so, you first have to get by the guards at the entrance, and you would need a badge with a card key. If you are an employee, you would know that there is a policy prohibiting unauthorized devices on the network.
Clearly, if you really, really wanted to, you could bypass all these controls. But management has decided that these controls are sufficient, given the risk to the network. Frankly, if you really wanted something on our network, it would be easier to pwn a machine and steal it remotely. That way, you could take your time and avoid the risk of detection and arrest.
My point is: just because you have a shiny new 802.1x system for wifi, it doesn't mean you need it for your wired network. Or if you do decide to use it, tamper-proof boxes, etc, may not be necessary. You (and management) need to weigh the risk against the cost of new switches, wiring, maintenance and reliability (what happens if your RADIUS server crashes? Does that block all network access?).
Maybe you work in a high-security environment where all these controls are necessary. But I'm guessing you have a solution looking for a problem. Best to weigh the risk vs cost. That analysis will allow you to justify the costs (monetary and operational) to management.