wired 802.1x for desktops (offtopic)
alex at digriz.org.uk
Wed May 27 14:39:48 CEST 2009
Mikael Kermorgant <mikael.kermorgant at gmail.com> wrote:
> Sorry for this off-topic message, I have a question about 802.1x deployment
> and don't know where to ask. As freeradius is one of the element I think of,
> maybe someone here can help me find the solution ?
> My Goals :
> 1) authenticate access to the network from Open Public Access Catalog (OPAC)
> desktop machines available to every user of a biblioteque.
> 2) have a guest account with limited LAN access (no access to internet, or
> just a very short whitelist)
> 3) Keep the machines reachable from some servers (ghost server, monitoring,
> etc). (this criteria eliminates the solution of a captive portal)
> I thought 802.1x with dynamic vlans would be a nice solution as it should
> permit to put the guest account in a specific vlan.
Replace 'guest account' with 'unregistered workstation' in your mind and
forget about user credentials.
Use the user credentials to register the workstation (if they have the
right level of authorisation), but keep the user credentials out of
the *network* policy making decisions.
As for (3), this is nothing more than a PIM agent on the router to your
'unregistered' VLAN, a DNS server covering '.', fancy stateful firewall
and an HTTP proxy server that can very specifically control what people
can get to when unregistered. We use a Linux box, make sure you test
PXE booting! :)
 maybe permit them to register the workstation into one VLAN but not
another (where your helpdesk staff can)...or not permit them to
do so at all
.sigmonster says: Honi soit la vache qui rit.
More information about the Freeradius-Users