strategy question

localhero at mac.hush.com localhero at mac.hush.com
Mon Feb 7 21:40:08 CET 2011


I think there will be  Group Policies in place.

-lh

On Mon, 07 Feb 2011 20:48:08 +0100 Alan Buxey 
<A.L.M.Buxey at lboro.ac.uk> wrote:
>Hi,
>
>> In a project with some larger customer sites 802.1x 
>authentication 
>> shall be introduced. There are about 10 sites with roughly 500 
>> employees each.
>> It is expected that at least 5 to 10% of the pc may cause 
>problems 
>> when 802.1x authentication is activated. To identify those pc in 
>
>> advance the idea is, to have the switches ask the freeradius 
>server 
>> for authentication. For two weeks or so the radius shall accept 
>all 
>> the requests, even if they fail because of invalid certificates. 
>
>> The failure shall be reported. During this time the operating 
>staff 
>> may solve the problems with the pc. After that period the 
>problems 
>> are hopefully solved and the radius shall do "real" 
>authentication.
>> 
>> Is this a idea that makes sense?
>> Are there technical restictions that would avoid such an 
>approach
>
>it seems a fairly sensible approach to migration into an 802.1X 
>world -
>I guess your guest/failed VLAN will be just the same as the normal
>VLAN that real clients will go onto?  (we were one of the sites to
>ask cisco to reverse their decision that a failed VLAN - ie where
>802.1X was attempted but failed - should be an operative VLAN 
>rather
>than marked as some for of malicious attack).
>
>how are you going to go about configuring the PCs - GPO can be 
>used
>to push out the setting if they are corporate/in ActiveDirectory
>
>alan
>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list