Re: Dynamically assign a computer in a VLAN
Date: 21 Apr 2005 09:03:13 -0000 To: email@example.com('binary' encoding is not supported, stored as-is) In-Reply-To: <firstname.lastname@example.org>
This can be done using Cisco's IBNS (Identity Based Networking Services) concept. The same works based on user-name and password. Assume three components - the Client (a Laptop/ Desktop etc), a Switch and an Access Control Server (ACS). The Switch has a Radius Client and the ACS is a "Cisco ACS3.x" RADIUS Server. You configure the policies and Authorization parameters on the ACS (and can even link the same to ADS).
When the Client logs into the Workstation, the client is asked to pass his authentication credentials - the credentials could include his user name and password/ additionally, digital certificates etc.
The Primary concept behind this is EAP based authentication (using AAA server) and AAA based authorization.
Two points to remember............MAC address cannot be a criteria in assigning one to a VLAN. Second, as of my knowledge, this will now restrict you to a Cisco only solution. We have implemented this for a BPO where agents (as they are called) can use any Desktop and based on their user credentials are automatically put into the respective VLAN. The Cisco ACS and Switch interact to automatically put the port into that VLAN. Such a functionality is available only for specific Cisco Switches
If MAC address is critical for you then get onto trying to put MAC based filters manually (manually is a critical word here) on the Switch. My knowledge says VMPS (assuming you still have such a setup)cannot be used with IBNS - someone can correct me if I am wrong on this point
Additionally, if you could expand on what you call a trusted VLAN...... Hope this helps
>We want to assign dynamically a Workstation or Laptop in a "trusted"
>VLAN, after authentication based on username, password and mac address.
>I know we can assign a computer to a VLAN with its mac address with
>VMPS. Can RADIUS or TACACS do the same, added with username/password
>Thanks all for your answers.