wired 802.1x for desktops (offtopic)
Hello, Sorry for this off-topic message, I have a question about 802.1x deployment and don't know where to ask. As freeradius is one of the element I think of, maybe someone here can help me find the solution ? My Goals : 1) authenticate access to the network from Open Public Access Catalog (OPAC) desktop machines available to every user of a biblioteque. 2) have a guest account with limited LAN access (no access to internet, or just a very short whitelist) 3) Keep the machines reachable from some servers (ghost server, monitoring, etc). (this criteria eliminates the solution of a captive portal) I thought 802.1x with dynamic vlans would be a nice solution as it should permit to put the guest account in a specific vlan. But how would it be possible to reach the machine from the management servers before someone authenticates ? Is it possible to have a default vlan activated on startup of the machine ? Or do you know where I should ask this question ? Regards, -- Mikael Kermorgant
Mikael Kermorgant wrote:
My Goals : 1) authenticate access to the network from Open Public Access Catalog (OPAC) desktop machines available to every user of a biblioteque.
OPAC? That must be term local to your site. I don't know what it means.
2) have a guest account with limited LAN access (no access to internet, or just a very short whitelist) 3) Keep the machines reachable from some servers (ghost server, monitoring, etc). (this criteria eliminates the solution of a captive portal)
It's hard to setup guest access without a captive portal.
I thought 802.1x with dynamic vlans would be a nice solution as it should permit to put the guest account in a specific vlan.
Maybe. Do the client machines do 802.1X? How will they get a username/password for authentication?
But how would it be possible to reach the machine from the management servers before someone authenticates ?
It won't be possible. If you've configured 802.1X, there will be no network available until after authentication happens.
Is it possible to have a default vlan activated on startup of the machine ?
No. VLAN assignment is done by the RADIUS server, *or* by the switch.
Or do you know where I should ask this question ?
I think your requirements might be difficult, or maybe impossible to do with current technology. I suggest investigating what's *possible*, and then trying to build a solution using components that exist. It's much more difficult to first define the requirements, and then to see if it's possible to meet them. Alan DeKok.
Hi,
1) authenticate access to the network from Open Public Access Catalog (OPAC) desktop machines available to every user of a biblioteque.
OPAC? That must be term local to your site. I don't know what it means.
we have OPACs too - i think its a term derived from the world of librarians and therefore alien to most ;-)
2) have a guest account with limited LAN access (no access to internet, or just a very short whitelist) 3) Keep the machines reachable from some servers (ghost server, monitoring, etc). (this criteria eliminates the solution of a captive portal)
It's hard to setup guest access without a captive portal.
I thought 802.1x with dynamic vlans would be a nice solution as it should permit to put the guest account in a specific vlan.
Maybe. Do the client machines do 802.1X? How will they get a username/password for authentication?
I would say use something like pGina for authentication - there are several plugins that allow the window login to become RADIUS enabled - set the default/guest/failed-802.1x VLAN to be very limited (so that the systems can only talk to your patching/monitor servers and to the RADIUS server), then, upon successful login the devices can be bumped to a relevant 802.1X network - for local folk or for visitors.
It won't be possible. If you've configured 802.1X, there will be no network available until after authentication happens.
most NAS devices have ideas of 'guest' networks that are given if the port is not in an authenticated state - indeed, latest cisco firmwares allow traffic to pass TO the client (handy for WoL!) ...but not from the client a simpler method would be ye olde captive portal - with ebtables/iptables - iptables then 'opened up' after a real user has logged into the captive portal...otherwise limited to just your management servers alan
A.L.M.Buxey@lboro.ac.uk wrote:
I thought 802.1x with dynamic vlans would be a nice solution as it should permit to put the guest account in a specific vlan.
Maybe. Do the client machines do 802.1X? How will they get a username/password for authentication?
I would say use something like pGina for authentication - there are several plugins that allow the window login to become RADIUS enabled - set the default/guest/failed-802.1x VLAN to be very limited (so that the systems can only talk to your patching/monitor servers and to the RADIUS server), then, upon successful login the devices can be bumped to a relevant 802.1X network - for local folk or for visitors.
Problem is pGina has been abandoned by it's author and is no longer maintained, hardly a long term solution. An idea we threw around the office the other day was a thought about gluing (samba+pam+radius)+freeradius to get eduroam onto the desk (and generic one day guest users) and working. If it could work (probably many gotchas I have not even thought of), you still have two problems: 1. if you run AD, you need a second domain run by Samba 2. if you don't run AD, you need to roll out a domain with Samba Both non-trivial. As a general hint, you are going to cause yourself lots of problems[1] if you embrace 802.1X VLAN assignment depending on user credentials[2]. 802.1X is a host<->network (like IPsec which is host<->host) system, user authentication for resources on the network belongs far higher up the OSI...such as covered by Kerberos. Cheers [1] think about multi-user machines, both hotseat (like Windows) and simultaneous (like UNIX, Linux, Mac OS X) situations [2] does not mean you cannot use the user credentials to 'bootstrap' the host credentials (such has a MAC address) and vouch that they are responsible for everything the host with a particular MAC address does -- Alexander Clouter .sigmonster says: Keep refrigerated.
Mikael Kermorgant <mikael.kermorgant@gmail.com> wrote:
Sorry for this off-topic message, I have a question about 802.1x deployment and don't know where to ask. As freeradius is one of the element I think of, maybe someone here can help me find the solution ?
My Goals : 1) authenticate access to the network from Open Public Access Catalog (OPAC) desktop machines available to every user of a biblioteque. 2) have a guest account with limited LAN access (no access to internet, or just a very short whitelist) 3) Keep the machines reachable from some servers (ghost server, monitoring, etc). (this criteria eliminates the solution of a captive portal)
I thought 802.1x with dynamic vlans would be a nice solution as it should permit to put the guest account in a specific vlan.
Replace 'guest account' with 'unregistered workstation' in your mind and forget about user credentials. Use the user credentials to register the workstation (if they have the right level of authorisation[1]), but keep the user credentials out of the *network* policy making decisions. As for (3), this is nothing more than a PIM agent on the router to your 'unregistered' VLAN, a DNS server covering '.', fancy stateful firewall and an HTTP proxy server that can very specifically control what people can get to when unregistered. We use a Linux box, make sure you test PXE booting! :) Cheers [1] maybe permit them to register the workstation into one VLAN but not another (where your helpdesk staff can)...or not permit them to do so at all -- Alexander Clouter .sigmonster says: Honi soit la vache qui rit.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Alexander Clouter -
Mikael Kermorgant