wired 802.1x for desktops (offtopic)

Alexander Clouter alex at digriz.org.uk
Wed May 27 14:39:48 CEST 2009

Mikael Kermorgant <mikael.kermorgant at gmail.com> wrote:
> Sorry for this off-topic message, I have a question about 802.1x deployment
> and don't know where to ask. As freeradius is one of the element I think of,
> maybe someone here can help me find the solution ?
> My Goals :
> 1) authenticate access to the network from Open Public Access Catalog (OPAC)
> desktop machines available to every user of a biblioteque.
> 2) have a guest account with limited LAN access (no access to internet, or
> just a very short whitelist)
> 3) Keep the machines reachable from some servers (ghost server, monitoring,
> etc). (this criteria eliminates the solution of a captive portal)
> I thought 802.1x with dynamic vlans would be a nice solution as it should
> permit to put the guest account in a specific vlan.
Replace 'guest account' with 'unregistered workstation' in your mind and 
forget about user credentials.

Use the user credentials to register the workstation (if they have the 
right level of authorisation[1]), but keep the user credentials out of 
the *network* policy making decisions.

As for (3), this is nothing more than a PIM agent on the router to your 
'unregistered' VLAN, a DNS server covering '.', fancy stateful firewall 
and an HTTP proxy server that can very specifically control what people 
can get to when unregistered.  We use a Linux box, make sure you test 
PXE booting! :)


[1] maybe permit them to register the workstation into one VLAN but not 
	another (where your helpdesk staff can)...or not permit them to 
	do so at all

Alexander Clouter
.sigmonster says: Honi soit la vache qui rit.

More information about the Freeradius-Users mailing list