Mikael Kermorgant <mikael.kermorgant@gmail.com> wrote:
Sorry for this off-topic message, I have a question about 802.1x deployment and don't know where to ask. As freeradius is one of the element I think of, maybe someone here can help me find the solution ?
My Goals : 1) authenticate access to the network from Open Public Access Catalog (OPAC) desktop machines available to every user of a biblioteque. 2) have a guest account with limited LAN access (no access to internet, or just a very short whitelist) 3) Keep the machines reachable from some servers (ghost server, monitoring, etc). (this criteria eliminates the solution of a captive portal)
I thought 802.1x with dynamic vlans would be a nice solution as it should permit to put the guest account in a specific vlan.
Replace 'guest account' with 'unregistered workstation' in your mind and forget about user credentials. Use the user credentials to register the workstation (if they have the right level of authorisation[1]), but keep the user credentials out of the *network* policy making decisions. As for (3), this is nothing more than a PIM agent on the router to your 'unregistered' VLAN, a DNS server covering '.', fancy stateful firewall and an HTTP proxy server that can very specifically control what people can get to when unregistered. We use a Linux box, make sure you test PXE booting! :) Cheers [1] maybe permit them to register the workstation into one VLAN but not another (where your helpdesk staff can)...or not permit them to do so at all -- Alexander Clouter .sigmonster says: Honi soit la vache qui rit.