Banning users in a nice way...
Hi,
Being a nice friendly openish institution, and not wanting to overload
our helpdesk staff with hundreds of users trying to set up their
laptops, we decided to make registration, a self service kind of affair.
We decided to setup an unauthorised VLAN, on this VLAN there exists a
support server , serving support pages.
On wired connections, assigning users to this VLAN is fine .. our HP
Procurve switches have a lovely feature called OpenVLAN which assigns
users with broken supplicant software to an arbitrary VLAN.
Unfortunately there is no such solution for the wireless access points..
*sigh*.. So we currently have to reject broken supplicants, failed
authentication attempts etc ...
Our solution to this is not as smooth as I would like ... and that is to
create a second unauthenticated, unencrypted BSSID which is attached
to our unauthorised VLAN.
Users connect to this BSSID, register, setup their software, then
connect to the 802.1x authenticated BSSID.
What we really want to be able to do, is for users with broken software,
force the wireless association to succeed, and put them on the
unauthorised VLAN. Of course just sending a plain old Access-Accept
packet isn't sufficient, as it requires the tunneled authentication to
succeed as well...
Has anyone got any ideas ?
I'm assuming theres no way to do it..
Oh and by broken I mean windows XP type broken, as in will only attempt
TLS authentication broken... and sends the username and password a user
logged into the machine with by default broken... and so can never work
out of the box broken.
Theres no issues with Mac Users, everything works fine there.
and were assuming people running linux are clever enough to setup x
supplicant without support :)
--
Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
This archive was generated by a fusion of
Pipermail (Mailman edition) and
MHonArc.