wired 802.1x for desktops (offtopic)

[A.L.M.Buxey at lboro.ac.uk]

Hi,

> > 1) authenticate access to the network from Open Public Access Catalog
> > (OPAC) desktop machines available to every user of a biblioteque.
> 
>   OPAC?  That must be term local to your site.  I don't know what it means.

we have OPACs too - i think its a term derived from the world
of librarians and therefore alien to most ;-)

> > 2) have a guest account with limited LAN access (no access to internet,
> > or just a very short whitelist)
> > 3) Keep the machines reachable from some servers (ghost server,
> > monitoring, etc). (this criteria eliminates the solution of a captive
> > portal)
> 
>  It's hard to setup guest access without a captive portal.
> 
> > I thought 802.1x with dynamic vlans would be a nice solution as it
> > should permit to put the guest account in a specific vlan.
> 
>   Maybe.  Do the client machines do 802.1X?  How will they get a
> username/password for authentication?

I would say use something like pGina for authentication - there
are several plugins that allow the window login to become RADIUS
enabled - set the default/guest/failed-802.1x VLAN to be very limited
(so that the systems can only talk to your patching/monitor servers
and to the RADIUS server), then, upon successful login the devices can
be bumped to a relevant 802.1X network - for local folk or for visitors.

>   It won't be possible.  If you've configured 802.1X, there will be no
> network available until after authentication happens.

most NAS devices have ideas of 'guest' networks that are given if the port is not
in an authenticated state - indeed, latest cisco firmwares allow
traffic to pass TO the client (handy for WoL!) ...but not from the client

a simpler method would be ye olde captive portal - with ebtables/iptables -
iptables then 'opened up' after a real user has logged into the captive
portal...otherwise limited to just your management servers

alan