Banning users in a nice way...

[Arran Cudbard-Bell]

Hi,

Being a nice friendly openish institution, and not wanting to overload 
our helpdesk staff with hundreds of users trying to set up their 
laptops, we decided to make registration, a self service kind of affair.

We decided to setup an unauthorised VLAN, on this VLAN there exists a 
support server , serving support pages.

On wired connections, assigning users to this VLAN is fine .. our HP 
Procurve switches have a lovely feature called OpenVLAN which assigns 
users with broken supplicant software to an arbitrary VLAN.

Unfortunately there is no such solution for the wireless access points.. 
*sigh*.. So we currently have to reject broken supplicants, failed 
authentication attempts etc ...

Our solution to this is not as smooth as I would like ... and that is to 
  create a second unauthenticated, unencrypted BSSID which is attached 
to our unauthorised VLAN.

Users connect to this BSSID, register, setup their software, then 
connect to the 802.1x authenticated BSSID.

What we really want to be able to do, is for users with broken software, 
force the wireless association to succeed, and put them on the 
unauthorised VLAN. Of course just sending a plain old Access-Accept 
packet isn't sufficient, as it requires the tunneled authentication to 
succeed as well...

Has anyone got any ideas ?

I'm assuming theres no way to do it..

Oh and by broken I mean windows XP type broken, as in will only attempt 
TLS authentication broken... and sends the username and password a user 
logged into the machine with by default broken... and so can never work 
out of the box broken.

Theres no issues with Mac Users, everything works fine there.

and were assuming people running linux are clever enough to setup x 
supplicant without support :)
-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900