strategy question

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Mon Feb 7 20:48:08 CET 2011


Hi,

> In a project with some larger customer sites 802.1x authentication 
> shall be introduced. There are about 10 sites with roughly 500 
> employees each.
> It is expected that at least 5 to 10% of the pc may cause problems 
> when 802.1x authentication is activated. To identify those pc in 
> advance the idea is, to have the switches ask the freeradius server 
> for authentication. For two weeks or so the radius shall accept all 
> the requests, even if they fail because of invalid certificates. 
> The failure shall be reported. During this time the operating staff 
> may solve the problems with the pc. After that period the problems 
> are hopefully solved and the radius shall do "real" authentication.
> 
> Is this a idea that makes sense?
> Are there technical restictions that would avoid such an approach

it seems a fairly sensible approach to migration into an 802.1X world -
I guess your guest/failed VLAN will be just the same as the normal
VLAN that real clients will go onto?  (we were one of the sites to
ask cisco to reverse their decision that a failed VLAN - ie where
802.1X was attempted but failed - should be an operative VLAN rather
than marked as some for of malicious attack).

how are you going to go about configuring the PCs - GPO can be used
to push out the setting if they are corporate/in ActiveDirectory

alan



More information about the Freeradius-Users mailing list