Wired 802.1x

[Guest]

Greetings.

I have been researching this for some time and have not come up with a
solution.
Basically, I would like to configure the interface Authentication settings
across all clients to use PEAP, along with some other related adjustments.

After downloading and installing Windows 2003 SP1, it appears that Microsoft
has really missed the boat on this. WHY would they include new GPO-based
features for wireless but not wired interfaces???

Does anyone know of a tool/script that configures Authentication settings of
an interface?

Thanks

- Lee

 

[S. Pidgorny]

Yes, Microsoft screwed this up. You cannot configure wired 802.1x properties
with group policy, or script, or any tool. Only manually, using GUI.

We should stay tuned for the OS feature packs, I guess.

 

[Steve Clark [MSFT]]

We didn't miss the boat...

802.1x is not the answer here: IPsec transport mode is. IPsec works fine
*with* 802.1x, but 802.1x will not provide end to end protection of
anything.

IPsec will provide authentication, nonrepudiation, and confidentiality.

When you look at the majority of threats that these 2 technologies are
designed to protect an enterprise from, IPsec is the hands-down winner.

 

[Pete]

We didn't miss the boat...

802.1x is not the answer here: IPsec transport mode is. IPsec works fine
*with* 802.1x, but 802.1x will not provide end to end protection of
anything.

IPsec will provide authentication, nonrepudiation, and confidentiality.

When you look at the majority of threats that these 2 technologies are
designed to protect an enterprise from, IPsec is the hands-down winner.

There you go.
So much for the customer is always right.

 

[Steve Clark [MSFT]]

Do you understand the fundamental differences between these two
technologies?

I'm not being argumentative, I'm trying to determine how best to demonstrate
where we counter threats....

Do you realize 802.1x has a fundamental problem with the way it
authenticates? When it was created years ago, it was all about wired
security. It was ported to wireless because it filled a particular gap that
exists. Now some are using it in a "wired" scenario.

What I'm saying is that IPsec is far more powerful than 802.1x ever thought
about being when it comes to protecting traffic on a per-packet basis.
802.1x is the equivalent of asking hosts to play nice on the network. IPsec
*forces* hosts to play nice on the network (if they want to talk to hosts
secured with it).

 

[Guest]

Steve -

Thanks for the post but...
I have read your mantra in many other posts.

Maybe your comments would benefit others, but I would appreciate it if you
tried to answer the question. The bottom line is that I have not seen any
high-level interfaces that automate the configuration of wired 802.1x on XP.
So if you have something to contribute in THAT regard, it would be greatly
appreciated.

Please don't presume to know what the customer wants. We are looking for
security IN DEPTH - you know, the multiple layers thing? 802.1x and IPSec
will coexist in my environment... which in this case is military.

- Lee

 

[S. Pidgorny]

I have answered your question before: the only high-level interface that
exists is the GUI.

I disagree with your "in depth" approach. I saw "in depth" approach
implementing HTTP over SSL over SSH over IPsec (on a private MPLS
network) - big overhead with very questionable security benefit.