draining the world\’s beer supply one pint at a time

Just another Blogs.sackheads.org weblog

• Home

Damn Microsoft for making it so easy… June 24, 2006

Posted by jpayne in : 802.1X, Security , 1 comment so far

On my campaign for multi-layer network security, we finally enabled 802.1X authentication for wired users in one of our remote offices as a pilot.
(Isn’t it funny how something you mention as an aside can get turned into a full blown project with “can we get this done by the next security meeting?”…)
We have a mix of company issued Windows “productivity” machines, developer Linux and Windows boxes and then the personal laptops (like my powerbook). Everything we do to protect the productivity network has to be Mac compatible because “we” are finally going to support (and provide) Macs!
So, Windows XP 802.1X authentication. By default it’s already configured to try authenticating with a client certificate. This is almost perfect… just one registry setting to be pushed out to tell the stack to use system certificates and authenticate as a machine account, and that meets the goal for the pilot.
Using Microsoft Internet Authentication Service on the domain controllers - very, very, very simple configuration… so simple that this router jockey documented the config.
The client cert comes from the Windows domain… it’s “non-exportable” (whatever that means).
Now the real work begins - trying to get similar functionality on the Mac platform. (Similar functionality here means as little user interaction as possible Yes, the Mac supports 802.1X, but it’s not on by default and is pretty well hidden and needs configuration to work. The client certs don’t appear automatically (why would they? The Macs don’t typically log in to the Windows domain), and so far I haven’t found such a thing as a machine certificate thats non-exportable.
I fully expect that we’ll get the Macs working just as we find the money and time to stop using the built in supplicants and use something that will let us do some security posture analysis (probably Funk’s Juniper’s Odyssey Access Client).

FRIST POST!!!!!! June 1, 2006

Posted by jpayne in : Hacks, OS/X , add a comment

Ran across the Smackbook hack a little while ago, and after mentioning it to my boss was inspired to modify it very slightly so instead of switching screens, it just screen locks.

Get up to leave your desk and smack your powerbook to turn on the screensaver. That just feels right.

Diff to smack.pl here. Note that this includes the PowerBook and iBook fix… you’ll need to “unfix” it for MacBook Pro.

search

• Wedding Pictures

  • An error has occurred; the feed is probably down. Try again later.

• Recent Posts

  • 2008 UK Trip
  • 2008
  • 802.1X updates
  • MARRIED!!!
  • Wedding site updated!
  • House and Wedding
  • Wedding Update
  • Party and Wedding Update
  • Photos
  • Sketch Plans

• Archives

  • January 2008
  • August 2007
  • April 2007
  • March 2007
  • January 2007
  • November 2006
  • October 2006
  • August 2006
  • July 2006
  • June 2006

• Blogroll

  • An Englishman in America
  • Fuzzy
  • Hate
  • Hide

• Links

  • My Photos

• Feed Sack

  • SackConfig
  • Haybaler moving again

• Feeds

• Full
• Comments