Re: Dynamically assign a computer in a VLAN

shankarnarayan.d_at_netsol.co.in
Date: 04/21/05

  • Next message: John Madden: "RE: VMWare interface security" 
    Date: 21 Apr 2005 09:03:13 -0000
To: security-basics@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <42666534.9080803@laposte.net>

    Hi

      This can be done using Cisco's IBNS (Identity Based Networking Services) concept. The same works based on user-name and password. Assume three components - the Client (a Laptop/ Desktop etc), a Switch and an Access Control Server (ACS). The Switch has a Radius Client and the ACS is a "Cisco ACS3.x" RADIUS Server. You configure the policies and Authorization parameters on the ACS (and can even link the same to ADS).

    When the Client logs into the Workstation, the client is asked to pass his authentication credentials - the credentials could include his user name and password/ additionally, digital certificates etc.
    The Primary concept behind this is EAP based authentication (using AAA server) and AAA based authorization.

    Two points to remember............MAC address cannot be a criteria in assigning one to a VLAN. Second, as of my knowledge, this will now restrict you to a Cisco only solution. We have implemented this for a BPO where agents (as they are called) can use any Desktop and based on their user credentials are automatically put into the respective VLAN. The Cisco ACS and Switch interact to automatically put the port into that VLAN. Such a functionality is available only for specific Cisco Switches

    If MAC address is critical for you then get onto trying to put MAC based filters manually (manually is a critical word here) on the Switch. My knowledge says VMPS (assuming you still have such a setup)cannot be used with IBNS - someone can correct me if I am wrong on this point

    Additionally, if you could expand on what you call a trusted VLAN...... Hope this helps

    Shankar
    >
    >Hi everyone,
    >
    >We want to assign dynamically a Workstation or Laptop in a "trusted"
    >VLAN, after authentication based on username, password and mac address.
    >I know we can assign a computer to a VLAN with its mac address with
    >VMPS. Can RADIUS or TACACS do the same, added with username/password
    >authentication ?
    >
    >Thanks all for your answers.
    >
    >Mathieu Rinck
    >

  • Next message: John Madden: "RE: VMWare interface security"

    Relevant Pages

    • Re: CBC questions
      ... >> point was that a MAC usually cannot be safely omitted. ... Even if we assume that authentication normally is ... Simply messing up the first block with random ... and nothing you do to the IV will fix it. ...
      (sci.crypt)
    • Re: CBC questions
      ... authentication, and not a very tricky one. ... either they're a fancy way of gluing an encryption scheme and a MAC ... Since CBC mode is weak without authentication, ... cipher E_Kand use hXOR E_Kinstead of the above construction. ...
      (sci.crypt)
    • Re: Controlling OS X Snow Leopard from Windows
      ... Mac OS X Screen Sharing service will ... connection attempts from standard VNC clients will be refused. ... Apple-proprietary method of encrypted transmission of authentication ...
      (comp.sys.mac.system)
    • Re: Controlling OS X Snow Leopard from Windows
      ... Mac OS X Screen Sharing service will ... connection attempts from standard VNC clients will be refused. ... Apple-proprietary method of encrypted transmission of authentication ...
      (comp.sys.mac.system)
    • Re: W2K3, IAS, Cisco 1200 AP, PEAP, and MAC authentication
      ... > I am having a heck of a time getting PEAP working with MAC ... > scanners to access my 802.11b network and configuring them for static ... > created an AD user with the MAC address as the user name and password. ... > I configured the access point to do MAC authentication against the ...
      (microsoft.public.internet.radius)