Reccomended switches for dynamic vlans
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Fri Jul 13 12:12:00 CEST 2007
Phil Mayers wrote:
> On Fri, 2007-07-13 at 12:32 +0800, Jacob Jarick wrote:
>
>> Can any1 reccomend a brand / model of wireless switches that will
>> support dynamic vlans.
>>
>
> Off the top of my head, and in no particular order:
>
> 3Com 4400, 5500
> Cisco 2960, 3560/3750, 4500, 6500
> Extreme X250e/X450e/8800
> HP Procurve (most of them)
>
> Nortel (untested)
>
Are Notel still in buisiness ? I heard they invested heavily in mobile
interweb and went bust.
> Alacatel (untested)
> Foundry (untested)
>
> ...and a whole bunch more. It's a pretty common feature in any platform
> from the last 18 months.
>
> You really want to be looking for a few key differentiators such as:
>
> * can the device support 802.1x & mac-based fallback at the same time?
>
Yes !!!
The issue that I have with most of the current switches, is that they
can't fallback to mac based auth...
Port Based Auth
Switch >> Device : EAPOL Indentity request
Switch << Device : No response
*switch to mac based auth*
You would of course have to keep a database of devices allowed to be
authenticated by mac address.
> * can the device authenticate >1 client on a port?
> * if so, can it support 802.1x for one and mac-based for another (think
> IP phones)
>
This would come under fallback.
> * if so, can it assign separate untagged vlans to each client?
> * can the device assign IP ACLs from Radius replies?
> * can the device assign 1 untagged and >1 tagged vlans (think wlan aps)
>
I don't think many will allow you to assign multiple tagged VLANS, most
centre around assigning one untagged VLAN... though that would be a very
neat feature.
> * can the device be told to let all macs in (again, wlan aps)
>
Well you just turn off authentication for that port (if wired), or
create a non radius authenticated BSSID.
> * can the device support wake-on-lan on 802.1x unauthenticated ports?
>
Yep , this ones pretty important, latest HP firmware for 26** supports this.
> * does the device support an internal username db for fallback (think
> ops staff laptops while the radius servers are down during an outage)
>
Yep agree with you there ... though in my limited experience, it's not
usually the radius server or the link to the radius server that goes
down, it's the databases used for authorisation.
Now FreeRADIUS supports return codes in cvs head again, it's a good idea
to elect a secondary users file module to do authorisation in place of
any of your db modules, if a db module should return fail... or you
could stick it at the end of a fail-over group.
More information about the Freeradius-Users
mailing list