vlan ldap radiusd

[Alexander Clouter]

Serge van Namen <svnamen at snow.nl> wrote:
> 
>> 'un-registered' (user bootstrapped) workstations go into VLAN 
>> 'users-unmanaged' whilst our equipment goes into 'users-staff'.
>> Hope that makes sense...? :)
> 
> Do you mean: unauthorized, user be put in default (jailed) vlan?
> 
I work for a university so we have a lot of equipment that we do not 
maintain but is owned by the students/staff that needs to connect.  So, 
we have three main workstation VLANs:
 * unauthorised
 * users-unmanaged
 * users-staff

Unknown MAC addresses go into 'unauthorised' which is a sandpit network 
which does nothing more than redirect the web browser to our 
'unauthorised workstation' webpage[1].  There they are permitted to get 
to a few websites (microsoft.com, etc) and to the instructions/tools 
they need to configure their computer for 802.1X.

When they are 802.1Xing, they get put into 'users-unmanaged' which gives 
them all the access they could want, and that I am willing to give them.  
One day, when I find the time, I will have a 'pre-registration' VLAN (or 
more likely dual-purpose 'unauthorised') for unrecognised MAC addresses 
that have gotten past 'unauthorised' by doing 802.1X with some user 
credentials.

'users-staff' is currently MAC-auth workstations that we maintain, the 
helpdesk would not love me if I forced them to configure each 
workstation for 802.1X (we are condemned with Novell and not AD...but 
apparently not for much longer).  :)

One day, to get into 'users-staff', you will need to do EAP-TLS, but for 
now it is just MAC-auth.

There is no different level of access betwork 'users-staff' and 
'users-unmanaged' here, we just wanted to keep equipment that we 
maintain and equipment we do not in different subnets.  Mainly to keep 
the subnet's small :)

Cheers

[1] http://www.soas.ac.uk/itsupport/personal-equipment/unauthorised-workstation.html

-- 
Alexander Clouter
.sigmonster says: Where do you think you're going today?