Hello Mathieu,
I have made several proof of concepts with IEEE 802.1x authentication.
In this procedure, a supplicant (your workstation or laptop) sends
user/password credentials to an authenticator (the switch in which the
VLAN exists). In the beginning, the ethernet port on which the
supplicant is plugged in is in UNAUTHORIZED state (does not allow
access to the LAN).
The switch inserts this frames into RADIUS messages and sends them as
RADIUS client to a RADIUS server (both MS IAS and Cisco Secure ACS are
OK for this). If user / password are fine (according to the user
database used by the RADIUS server), then the switch opens the port
(switches to AUTHORIZED). Depending on the switch vendor and version,
you can also send additional attributes in the RADIUS response from
the server:
- VLAN #: so you can dynamically assign a VLAN according to the user's identity
- ACL: so you can assign an ACL at port level according to the user's identity
IEEE 802.1x will only work with RADIUS towards the backend, but it is
standard and broadly supported. You can also strenghthen this by
adding certificates in the laptop and in the RADIUS server for
encrypted authentication.
Regards,
Rodrigo.
On 4/20/05, Mathieu RINCK <mathieu.rinck@laposte.net> wrote:
Hi everyone,
We want to assign dynamically a Workstation or Laptop in a "trusted"
VLAN, after authentication based on username, password and mac address.
I know we can assign a computer to a VLAN with its mac address with
VMPS. Can RADIUS or TACACS do the same, added with username/password
authentication ?
Thanks all for your answers.
Mathieu Rinck
