wired 802.1x for desktops (offtopic)

[Alexander Clouter]

A.L.M.Buxey at lboro.ac.uk wrote:
>> 
>> > I thought 802.1x with dynamic vlans would be a nice solution as it
>> > should permit to put the guest account in a specific vlan.
>> 
>>   Maybe.  Do the client machines do 802.1X?  How will they get a
>> username/password for authentication?
> 
> I would say use something like pGina for authentication - there
> are several plugins that allow the window login to become RADIUS
> enabled - set the default/guest/failed-802.1x VLAN to be very limited
> (so that the systems can only talk to your patching/monitor servers
> and to the RADIUS server), then, upon successful login the devices can
> be bumped to a relevant 802.1X network - for local folk or for visitors.
> 
Problem is pGina has been abandoned by it's author and is no longer 
maintained, hardly a long term solution.  

An idea we threw around the office the other day was a thought about 
gluing (samba+pam+radius)+freeradius to get eduroam onto the desk (and 
generic one day guest users) and working.

If it could work (probably many gotchas I have not even thought of), you 
still have two problems:
 1. if you run AD, you need a second domain run by Samba
 2. if you don't run AD, you need to roll out a domain with Samba

Both non-trivial.

As a general hint, you are going to cause yourself lots of problems[1] 
if you embrace 802.1X VLAN assignment depending on user credentials[2].  
802.1X is a host<->network (like IPsec which is host<->host) system,
user authentication for resources on the network belongs far higher up 
the OSI...such as covered by Kerberos.

Cheers

[1] think about multi-user machines, both hotseat (like Windows) and 
	simultaneous (like UNIX, Linux, Mac OS X) situations
[2] does not mean you cannot use the user credentials to 'bootstrap' the 
	host credentials (such has a MAC address) and vouch that they 
	are responsible for everything the host with a particular MAC 
	address does

-- 
Alexander Clouter
.sigmonster says: Keep refrigerated.