6

Currently my company has been bought out by another. Due to this, another two companies users will be migrating into our office.

It would be super handy if we could have the vlan chosen for the user based on what domain they try to login to using dot1x.

E.G. Vlans

  • 100 CompanyA
  • 200 CompanyB
  • 300 CompanyC

Someone plops a laptop on a desk, plugs into the network port and presses CTRL-ALT-DEL, selects the domain name CompanyB and logs in.

The result I want is that dot1x is able to figure out that this is a user from CompanyB and set the network port to reflect vlan 200 dynamically.

Possible?

Sven
  • 97,248
  • 13
  • 177
  • 225
Lance
  • 281
  • 10
  • 20

3 Answers3

2

You need RADIUS server (FreeRADIUS probably) that sends back additional attributes.

Specifically, it has to send some specific attributes, for details see RFC2868

This is what I use for wireless clients, but it works the same for wired 802.1X:

  • Tunnel-Type = VLAN,
  • Tunnel-Medium-Type = IEEE-802,
  • Tunnel-Private-Group-Id = 1234

Where 1234 is the required VLAN ID.

Of course you have to check that your switch supports said attributes. It might also support some other attributes that achieve the same thing, the example above works with Cisco.

Community
  • 1
Borut Mrak
  • 21
  • 2
1

You could look at doing something like packetfence http://www.packetfence.org/ It can do Role based access control, which looks like it's exactly what you're looking to do.

Steve Butler
  • 1,016
  • 9
  • 19
1

This doesn't seem viable to me. I mean, if you change the VLAN a port belongs to "on the fly", then the port is temporarily going to go offline and then come back ... if you don't have port-fast enabled, then it's got the whole listening / learning / forwarding cycle to go through. You'd also have the link speed negotiations to go through, reestablishing a new DHCP address, communicating with the domain controller ... etc and so on. In short, your log-on times would be horrendous.

Your post says that folks are "plopping a laptop down". I'm assuming that the new employees from the other companies will be working on laptops from those companies, correct? Instead of having them wire into the network, why don't you just go wireless? Then, you can set up multiple SSIDs on your APs and map each SSID to the VLAN you want the device to access. You could assign one password for Company A's devices, and another password for Company B.

End users don't get the passwords, and Company A employees aren't using Company B laptops and vice versa. Everybody's on the VLAN and the domain you want. Company B's laptops automatically join to Company B's SSID, etc.

Besides, you don't really want open ports on your network where just anyone can waltz in and jack into your network.

Dave
  • 11
  • 1