wired 802.1x for desktops (offtopic)

[Alexander Clouter]

Mikael Kermorgant <mikael.kermorgant at gmail.com> wrote:
> 
> Sorry for this off-topic message, I have a question about 802.1x deployment
> and don't know where to ask. As freeradius is one of the element I think of,
> maybe someone here can help me find the solution ?
> 
> My Goals :
> 1) authenticate access to the network from Open Public Access Catalog (OPAC)
> desktop machines available to every user of a biblioteque.
> 2) have a guest account with limited LAN access (no access to internet, or
> just a very short whitelist)
> 3) Keep the machines reachable from some servers (ghost server, monitoring,
> etc). (this criteria eliminates the solution of a captive portal)
>
> I thought 802.1x with dynamic vlans would be a nice solution as it should
> permit to put the guest account in a specific vlan.
> 
Replace 'guest account' with 'unregistered workstation' in your mind and 
forget about user credentials.

Use the user credentials to register the workstation (if they have the 
right level of authorisation[1]), but keep the user credentials out of 
the *network* policy making decisions.

As for (3), this is nothing more than a PIM agent on the router to your 
'unregistered' VLAN, a DNS server covering '.', fancy stateful firewall 
and an HTTP proxy server that can very specifically control what people 
can get to when unregistered.  We use a Linux box, make sure you test 
PXE booting! :)

Cheers

[1] maybe permit them to register the workstation into one VLAN but not 
	another (where your helpdesk staff can)...or not permit them to 
	do so at all

-- 
Alexander Clouter
.sigmonster says: Honi soit la vache qui rit.