Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x - Remote Access Policy - Keep unapproved devices off network

gnomeAware1
Occasional Visitor

802.1x - Remote Access Policy - Keep unapproved devices off network

I need help keeping unapproved devices off of my network. I’m playing around with 802.1x but have a few challenges that I need help with.

Here’s my environment:
• 5308xl at the core
• 4108gl in the 4 closets
• 2650 attached to the 4108’s that support phones, computers and computers attached through the phones
• Some 2520G-8-PoE in cubicles because a shortage of ports
• ProCurve Manager+ 3.1, IDM 3.0, Windows 2003, IAS

Here are my goals (all of this is working in the test environment – except the phones):
• Average user given access via 802.1x user authentication.
• Shortel phone system is about to be upgraded to support 802.1x authentication – I think I can figure that one out when the time comes.
• Printers will be tied to switch ports using “port-security”. Can’t do MAC authentication because I can’t change the password policy on the active directory servers. Not too many printers – shouldn’t be difficult to manage.
• Sometimes a person needs to login to their company computer using a local computer account rather than the domain account. I’ll use web authentication for that.

Here are the challenges:
• Someone brings their laptop in from home and uses web authentication to get access to the network. Is there an IAS Remote Access Policy that I can use to require that the computer is joined to the domain? I think I need to authenticate both the user and the computer. What would that policy look like?
• Assuming I figure out the correct policy I will then run into a problem where a developer runs a virtual machine that’s part of a work group rather than being joined to the domain. In that case I’ve locked them out. Unless anyone has a creative solution I’ll probably just handle that as a corner case.

I think I just need help with the remote access policy that requires that the computer be part of the domain but any other advice will be greatly appreciated.

Thanks.

-SJ
2 REPLIES
cenk sasmaztin
Honored Contributor

Re: 802.1x - Remote Access Policy - Keep unapproved devices off network

Someone brings their laptop in from home and uses web authentication to get access to the network. Is there an IAS Remote Access Policy that I can use to require that the computer is joined to the domain?


*unneccessary create their computer account on domain
sufficient to their user account


I think I need to authenticate both the user and the computer. What would that policy look like?

*unneccessary authenticated user and computer only user authenticated very security


*For virtual machine you must have create on domain user account and create multiple user authentication on switch port
for example
aaa port-access authenticator B1 client-limit 2


my advice

you can create vlan's on netwrok

vlan 10 for server
vlan 11 for domain users
vlan 12 for printers
vlan 13 for guest
vlan 14 for ip phone

all domain users authentication radius server and assign dynamically vlan 11 with remote active
directory rule

all servers statically connect vlan 10 in the system room

all printers statically connect vlan 12 with port securtiy

all guest users (no domain users)dynamically connect vlan 13

all ip phone dynamically connect vlan 14 in front of pc

for virtual machine create domain user account

and bring machine never nerver do not connect your network for security
cenk

gnomeAware1
Occasional Visitor

Re: 802.1x - Remote Access Policy - Keep unapproved devices off network

I think what I'm going to do is use certificates. Here's a link to an example of the direction I'm heading.

http://alextch.members.winisp.net/802.1x/Defending%20your%20internal%20network%20with%20802.1x%20and%20Microsoft%20PKI.htm

What do you think?