We're in the process of deploying 802.1X for both WiFi and Ethernet, and there's been some debate on whether we should allow admin access over WiFi. Currently, if you're connected to the WiFi, you can get some admin access through a VPN, which feels a bit off to me since I'm not used to seeing WiFi setups like this. How do you manage admin access? Is it limited to wired connections, or do you allow it over WiFi as well?
4 Answers
One suggestion is to use a jumpbox for admin tasks. Instead of exposing direct admin access over the WiFi network, set up a dedicated jumpbox with strict group access controls. You can allow admin access through WiFi to this jumpbox if needed, which helps keep the number of access points to the internal VLAN minimal. Just remember, auditing should be mandatory! And as an extra security measure, don't make its hostname something obvious like 'jumpbox.'
In our setup, the admin VLAN for dot1x is the same for both wired and wireless connections, so they basically have equal access.
You're on the right track, but you'll want to ensure that your authentication and encryption settings are really solid. A more secure way to handle this might be to have an admin jumpbox or bastion VM accessible via WiFi that requires multi-factor authentication (MFA) to log in, or establish a VPN or hardened SSH tunnel. It really depends on how cautious you'd like to be. You've already made a good move having a separate admin VLAN!
We treat wired and wireless access the same. Admin access should always go through jump boxes to connect to anything sensitive. Never extend direct admin access to the WiFi or user access ports. If by 'admin' you mean the management VLANs, that may be necessary if you're using a wireless meshing solution.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures