In-Reply-To: <42666534.9080803@laposte.net>
Hi
This can be done using Cisco's IBNS (Identity Based Networking Services)
concept. The same works based on user-name and password. Assume three
components - the Client (a Laptop/ Desktop etc), a Switch and an Access Control
Server (ACS). The Switch has a Radius Client and the ACS is a "Cisco ACS3.x"
RADIUS Server. You configure the policies and Authorization parameters on the
ACS (and can even link the same to ADS).
When the Client logs into the Workstation, the client is asked to pass his
authentication credentials - the credentials could include his user name and
password/ additionally, digital certificates etc.
The Primary concept behind this is EAP based authentication (using AAA server)
and AAA based authorization.
Two points to remember............MAC address cannot be a criteria in assigning
one to a VLAN. Second, as of my knowledge, this will now restrict you to a
Cisco only solution. We have implemented this for a BPO where agents (as they
are called) can use any Desktop and based on their user credentials are
automatically put into the respective VLAN. The Cisco ACS and Switch interact
to automatically put the port into that VLAN. Such a functionality is available
only for specific Cisco Switches
If MAC address is critical for you then get onto trying to put MAC based
filters manually (manually is a critical word here) on the Switch. My knowledge
says VMPS (assuming you still have such a setup)cannot be used with IBNS -
someone can correct me if I am wrong on this point
Additionally, if you could expand on what you call a trusted VLAN...... Hope
this helps
Shankar
Hi everyone,
We want to assign dynamically a Workstation or Laptop in a "trusted"
VLAN, after authentication based on username, password and mac address.
I know we can assign a computer to a VLAN with its mac address with
VMPS. Can RADIUS or TACACS do the same, added with username/password
authentication ?
Thanks all for your answers.
Mathieu Rinck
