wired 802.1x for desktops (offtopic)

Alan DeKok aland at deployingradius.com
Tue May 26 19:16:40 CEST 2009

Mikael Kermorgant wrote:
> My Goals :
> 1) authenticate access to the network from Open Public Access Catalog
> (OPAC) desktop machines available to every user of a biblioteque.

  OPAC?  That must be term local to your site.  I don't know what it means.

> 2) have a guest account with limited LAN access (no access to internet,
> or just a very short whitelist)
> 3) Keep the machines reachable from some servers (ghost server,
> monitoring, etc). (this criteria eliminates the solution of a captive
> portal)

 It's hard to setup guest access without a captive portal.

> I thought 802.1x with dynamic vlans would be a nice solution as it
> should permit to put the guest account in a specific vlan.

  Maybe.  Do the client machines do 802.1X?  How will they get a
username/password for authentication?

> But how would it be possible to reach the machine from the management
> servers before someone authenticates ?

  It won't be possible.  If you've configured 802.1X, there will be no
network available until after authentication happens.

> Is it possible to have a default
> vlan activated on startup of the machine ?

  No.  VLAN assignment is done by the RADIUS server, *or* by the switch.

> Or do you know where I should ask this question ?

  I think your requirements might be difficult, or maybe impossible to
do with current technology.

  I suggest investigating what's *possible*, and then trying to build a
solution using components that exist.  It's much more difficult to first
define the requirements, and then to see if it's possible to meet them.

  Alan DeKok.

More information about the Freeradius-Users mailing list