Blog Entry

Hi All

First time blogger here so I thought I would pop out some comments on Novell and Security.

Novell is a bit funny when it comes to security, on one hand you have one of the most secure NOS's commercially available in NetWare yet in order to secure all the other portions of your network you are limited to the usage of NetWare.

I have been a long time NetWare user, CNE and MCNE, I got my CNE back in 1995 and have actually kept it fairly updated. I also work for a School District where security is not just an option but a requirement (unless you like the students running your network). Back before the Y2K scare we started seeing a need to control who could access the physical network due to the Internet boom and huge influx of Viruses out there.

We started with Intel switches, which were actually very nice for closet switches, that allowed us to enter the MAC address of all the station at a school site in the School site main switch. This worked pretty well but there were many drawbacks, for instance it did not stop someone from getting on the local network and spreading viruses to legitimate computers and we actually had a few stations that manually edited their MAC address to match another computer on the network, thus gaining access.

Eventually we had to replace the Intel switches and found there were no switches out there that did the Mac address entry on a large scale like the Intel switches, in fact it seemed that the one thing all the switches supported de-facto was 802.1x.

So we started looking at this and how it would work with Novell and found that there are quite a few hurdles to get it to work as well as make it work seamlessly with Novell.

First you need a Radius server, Novell pushes FreeRadius, the price is right for that server but I found it very hard to configure, in fact I had to call Novell to get it configured and even then we were doing some funky work arounds to just get a radius test to register that it works, in the end I never did get it to authenticate through our new Cisco switches. So next I went with the Cisco ACS, this is nice because it supports both Radius and TACACS for Cisco switches and routers. This was a lot easier to configure and get running but also caused an issue with the way Novell client works.

At the time of implementing 802.1x Novell did not have the 802.1x addition to the client so we had to look for a supplicant, the choice only came down to the Funk software Odyssey client (now Juniper) and the Meetinghouse Aegis client (now Cisco).
The requirements for the client was to have it do single sign on with the Novell client and not use certificates. What we found was that the only option using the ACS at that time was Eap-Fast with GTC. Aegis client seemed to be the easiest and simplest to configure for this so we went with them as well.
There were quirks with the Aegis client, such as sloooooowwwww log-outs (it was faster to restart then logout) as well as licenses disappearing and such but it did work with Single Sign on and it really cost us. We paid like 20K just for the ability to connect to the physical network (Not counting the cost of ACS servers).

Meanwhile, after at least a few years of begging Novell to support 802.1x they finally come out with a client. Now here is a company that does a great job with security on its servers and such but totally lost that benefit when it came to the underlying network. What Novell did was just support the 802.1x that Windows natively supports. So everyone that had to go out and buy the supplicant to support their 802.1x environment and did not use the MS native supplicant (hence they purchased a third party one) had to either change their whole network design as well as use FreeRadius, Active Directory or still purchase third party supplicants.

Now I can see where Novell does not want to piss off third party vendors, it is very hard to find Third party vendors that still support Novell and its client. My argument to this was that there was no vendor I had seen that was continuing support for Novell or its client so why worrying about pissing them off. At the very least Novell could have integrated an extended protocol that other Radius servers supported so people could use a Certificate-less login without Active Directory or FreeRadius on the back-end.

In case you did not know, the MS supplicant supports Certificate-less 802.1x authentication only using MSChap. The problem is that the only directory that supports login info encrypted with MSChap is Active Directory. FreeRadius gets by this by unencrypting the MSChap login info then sending that info to LDAP. From my side we already deployed over 2000 stations with 802.1X with ACS server as well as integrated the switches with the TACACS side of the Cisco ACS server. Maybe if Novell had made any kind of announcement that it would support 802.1x only with FreeRadius I would have waited but I had to manage a network and do what I could.

So now, we have ACS (which I do like) Novell client with a useless (to us anyway) 802.1x integration and an extra bill for a supplicant.

My opinion on this is that Novell should look very hard at the future of the Novell Client. I personally love the client but Novell has to take into account the new technology out there and work with it. Microsoft will only include support for its servers and clients, if Novell expects to still compete they cannot lay the responsibility for not support Layer 1 and 2 access on Microsoft when their customers are in a Novell network. Only supporting one option for Layer 1 and 2 access is a dangerous road to travel, especially when someone can do 802.1X for free by switching their directory structure to Active Directory.

I will continue this in another post, just getting tired of writing. So this is not the end of my Rant:)