EAPOL, VLANs and network drives

From: Oleksandr Darchuk (o.darchuk_at_wucb.lviv.net)
Date: 01/22/04

  • Next message: Matthew Kemp: "Re: Network Access Quarantine" 
    Date: Thu, 22 Jan 2004 17:57:11 +0200
To: security-basics@securityfocus.com

    Hello.
    Sorry for possible offtopic, but as I see, people in this mail list
    work with some network features and possible will help me with some advices.
    I decided to separate my network on some VLANs. But users in our office
    migrate too fast and to often, that's why I try to bound VLAN ID to
    username, not to fixed port on switch. I use EAPOL with RADIUS for that.
    When user bypass EAPOL auth, RADIUS server sends attribute
    Tunnel-Private-Group-ID = X and switch (I use Nortel BayStack) mark port
    as VLAN X untagged member. It is rather smart configuration, because
    when user migrate in other department I just change RADIUS file and
    don't need to find new port on swith and reconfigure it. Everything
    works fine, but I have problem with Novell login/network drives. When
    computer turn on, NetWare client run login script _during_ users loging
    into WinXP/Win2K and it's _before_ EAPOL auth. That's why user can't map
    network drives and need to relogin.
    So, can anyone give me some advice how to fix it: e. g. to set VLAN ID
    in other way? Or to reconfigure EAPOL client? Or RADIUS server (btw I
    use freeradius). Is it possible that my configuration will work when use
    Microsoft radius beside freeradius and use Windos AD besides NetWare?
    Possible somebody work with EAPOL more familar? At least reccomend me
    other maillist.
    Sorry for pure English and thanks for all advises.

    ---------------------------------------------------------------------------
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
    course! All of our class sizes are guaranteed to be 10 students or less.
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
    and many other technical hands on courses.
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
    any course!
    ----------------------------------------------------------------------------

  • Next message: Matthew Kemp: "Re: Network Access Quarantine"

    Relevant Pages

    • Re: IP address assignment problem
      ... I have a little problem and seek for ur thoughts, let's assume I'm in a very open environment where everyone can very easily try to get his/her laptop on the network and IP addresses are assigned by a DHCP server and we are in a domain environment, how do I prevent machines that are not part of our domain to be assigned an IP address? ... This approach doesn't stop your rogue clients from connecting to other clients, but merely doesn't give them the information they normally need to do so. ... Using 802.1x, your workstations authenticate through the switch to a radius server before they are allowed any connectivity. ... This authentication can use X.509 certificates, computer account credentials from AD, or whatever else you'd normally configure radius to authenticate with. ...
      (Focus-Microsoft)
    • Re: Prblm: Radius, WLAN, roaming profiles and software install via group policies
      ... >> The thing is that since we use Radius to authenticate to the ... >> assigned file server. ... >> WLAN it seems like the network connection is prematurely terminated, ... > encrypt traffic between wireless client computers and wireless access ...
      (microsoft.public.internet.radius)
    • Re: wpa_supplicant causes panic in ieee80211_newstate
      ... I can join a vanilla unencrypted network, but using wpa_supplicant to try to ... then started running 'ifconfig ndis0' every few seconds in another window to ... EAPOL: External notification - EAP success=0 ...
      (freebsd-current)
    • PEAP Authentication in IAS
      ... I'm using a Procurve 2650 as Radius Client, ... Authentication in the network configuration of Windows XP and CHAP ...
      (microsoft.public.windows.server.active_directory)
    • Re: IAS as RADIUS
      ... RADIUS is not the solution for anything that I have read here yet. ... RADIUS still requires Domain Accounts to be on the domain,...which you ... this way they cant wreak havok on our network, ... The "supplicant" is a piece of software on the client PC. ...
      (microsoft.public.windows.server.networking)