Am Dienstag, 7. Mai 2013, 14:27:35 schrieb Nikolaos Milas:

> Hello,

>

> We would like to enforce authentication for all clients connecting to

> our network (wired or wireless), so that when a client connects, the

> client will not be able to use the network unless it successfully

> authenticates (e.g. via web) with a valid account (LDAP-based).

>

> We have a network based mainly on Cisco 2950/2960 switches.

 

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/sw8021x.html

 

or search for your switch and IOS version.

 

> We are running a central LDAP Server (openldap) where we hold user

> accounts, which are used for mail, ftp, web, Shibboleth access.

>

> I guess we can enable 802.1x on switches and require authentication of

> clients over freeradius.

>

> Is there a suggested sample freeradius configuration for such use? Can

> you please provide one or point me to a URL for it?

 

Read the rlm_ldap file in the doc directory.

 

Quite old, but still work:

http://vuksan.com/linux/dot1x/802-1x-LDAP.html

 

> Can you share your experience and any pitfalls we should consider?

 

Pitfalls:

- Devices that do not speak 802.1x, i.e. printers.

- Devices with more that one MAC address, i.e. laptops with virtual machines.

- Devices of users that are not in your LDAP, i.e. consultants, guests.

- Devices behind IP phones (two MAC addresses!).

 

Perhaps you need to mess around with guest, resticted, and voice VLAN.

 

> Any experiences on such use? Does this scale well (for about 20-30

> switches)? Should we consider a central management solution? (Which?)

 

LDAP scales well. FreeRADIUS will not have any performace problem.

 

Perhaps you get a lot of work taking care of all the MAC addresses of your non-802.1x devices. A customer of mine has a data base with 120.000 MAC addresses ...

 

--

Mit freundlichen Grüßen,

 

Michael Schwartzkopff

 

--

[*] sys4 AG

 

http://sys4.de, +49 (89) 30 90 46 64

Franziskanerstraße 15, 81669 München

 

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263

Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer

Aufsichtsratsvorsitzender: Florian Kirstein