Best Advice for NAC and 802.1X
Posted by darmachino@reddit | sysadmin | View on Reddit | 12 comments
Hi folks,
I took over a role for a company that previously had no IT in office. We have other offices around the world so all IT help was done by other offices. I kind of came into a mess, the infrastructure was basically hand the employee a computer and say go nuts with it.
I am working on making the office more secure but wanted some advice. Our WiFi has PSK with no NAC. I want to implement NAC and 802.1X (as a start) to secure our network. However, I am a little concerned with the overhead that this will cause as currently our IT team is only 2 for about 350+ user as I am not sure if this would be manageable.
I have a proof of concept working using Freeradius, MYSQL DB and uses TTLS and MSCHAPv2. I know this is not the most secure but it certainly has to be better than Wifi with a PSK and no NAC, right? The passwords would strictly be used for network access and no other accounts.
Appreciate the feedback.
Brufar_308@reddit
Implemented packetfence as our 802.1x solution with a team of 2 for wired and wireless devices using certificates for authentication. Packetfence is free, you can purchase support through the developers at inverse.ca
Was nice having dynamic VLAN assignments for devices as well, really simplified switch configuration as the switch ports would reconfigure automatically when a device was plugged in.
Best of luck !
EscapeFate3@reddit
What resources did you use to learn Packetfence? Looking to implement this in our K12 environment and I’m having a hard time getting things up and running.
Brufar_308@reddit
Since packetfence is free. It was relatively easy to secure funds to engage Inverse (the people that created packetfence) to do some development work to support the hardware we chose (yes that’s backwards from how you are supposed to do it) and for assistance implementing the solution. It was very cost effective with that approach and helps support the development of packetfence. So I learned by working g with their team on testing with our hardware and the implementation.
If you see cambium AP’s and the Dell N series switches in their implementation docs, that hardware support was added for us. When we did that implementation we purchased blocks of time and they were amazingly efficient with the use of that time. Their support contracts have changed but it’s still very reasonable imho.
Reach out to Inverse.ca and see what options are available.
Cormacolinde@reddit
MS-CHAPv2 is worse than PSK in many situations. Because it can allow a client to leak credentials.
Do PSK and force clients to VPN, even when on-premises (assuming your VPN requires MFA), or go to PKI and EAP-TEAP/EAP-TLS using something like ClearPass.
jstuart-tech@reddit
A NAC probably isn't the best place to start securitywise.. I'm sure there are bigger problems to tackle (Asset inventory, patching, removing admin privs etc etc).
Cold-Pineapple-8884@reddit
Do you have AD running?
Deploy a PKI (two tier - root and issuing) and an NPS server (natively integrates with AD).
Create a cert template for NPS and have Group Policy to issue the certs via auto enrollment and use it as well to present the certificate as part of the Wifi profile.
Set up NPS to accept the PKI cert you created (it will detect which user it’s for automatically).
There is a nuance with strong certificate mapping - you need to have your PKI insert the usersid into the cert as of the last year or so - https://directaccess.richardhicks.com/2025/01/27/strong-certificate-mapping-enforcement-february-2025/amp/
If PKI is above your head then you can also just skip that step and user computer authentication (can also set up with GPO) - but it will be using MSCHAPv2, which isn’t the most secure and NTLM is eventually supposedly going away.
If all of this sounds about your head then stick with PSK or hire someone to do the work to configure what I mentioned.
darmachino@reddit (OP)
thanks for the info! Why would it be better to stick with PSK over what I mentioned previously? Woudn't every user having their own credntials and using TTLS and MSCHAP still be better than just a PSK?
Cold-Pineapple-8884@reddit
Depends how smart they are. We constantly have to assist our users to connect to our WiFi network because they can never figure out how to login properly.
And god help you when someone changes their password and their WiFi profiles break and start locking out their AD accounts.
You’re better off just taking the end user out of it and having GPO configure the profiles.
Heck even usr a GPO to push out the PSK.
If you trust your users they will usually let you down.
Something about typing their credentials into anything outside of a web form seems to make their brains short circuit in my experience.
darmachino@reddit (OP)
For context on how smart they are, a user said their camera wasn’t working and it was because the camera cover was on
ughisthisnametaken@reddit
Keep in mind that you cant do MSCHAPv2 if your users are on Windows 10 with Cred Guard enabled, or are on Windows 11. Also ensure that you enable the 'validate RADIUS server certificate' for the clients via GPO. WPA2-E is often less secure than WPA2-PSK due to misconfigurations when implemented.
pdp10@reddit
If your infrastructure is "deperimeterized" or "zero-trust" -- meaning that it doesn't give tacit authorization to a client just because it has a trusted IP address -- then the damage potential of a random client should be near negligible.
We have physically-secured trusted LANs that live entirely within physically-secured datacenter or server rooms, and then we have all other LANs which are engineered to withstand even attacks from malware or hostile insiders.
roiki11@reddit
Clearpass is a wonderful kit. For free alternative packet fence is great, though I don't know how it works with wifi.