- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Some design tip
Switches, Hubs, and Modems
1753448
Members
5200
Online
108794
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-18-2006 02:02 AM
тАО08-18-2006 02:02 AM
I have a network on two floors, each floor having 2650 switches. To the 2650 are connected workstations and AP's. The 2650 go into a layer three 2824. In the same 2824 i also have the domain controller with IAS RADIUS server installed.
I want to have 802.1x authentication over the network.
I also want dynamic VLANS based on the credentials the users give. For each VLAN, the DHCP will provide a different subnet address, based on which a firewall will provide different levels of access.
For the case of guest visitors, i want authentication based on MAC address, which will be temporarly provided by the network admin. The guests will be assigned to a guest VLAN, with restricted access.
I need some confirmations for the following configuration:
1. All the 2650 ports will be assgined 802.1x authentication, blocking by default all non authenticated users.
2. The 2650 port in which the AP's are plugged will be tagged with all the VLANS from the switch. The question is, do i need some special access policy defined on the IAS ( there is an option for all 802 traffic + ethernet access) for the users that connect via wireless, or since they provide the right credentials, they will be assigned to the correct VLAN (the AP does know about VLANS)?
3. In case of visitors, can i have a MAC access rule that will put the port into the Guest VLAN?
p.s. I know its long, but i am sure that a solution to this will provide answers to many people.
I want to have 802.1x authentication over the network.
I also want dynamic VLANS based on the credentials the users give. For each VLAN, the DHCP will provide a different subnet address, based on which a firewall will provide different levels of access.
For the case of guest visitors, i want authentication based on MAC address, which will be temporarly provided by the network admin. The guests will be assigned to a guest VLAN, with restricted access.
I need some confirmations for the following configuration:
1. All the 2650 ports will be assgined 802.1x authentication, blocking by default all non authenticated users.
2. The 2650 port in which the AP's are plugged will be tagged with all the VLANS from the switch. The question is, do i need some special access policy defined on the IAS ( there is an option for all 802 traffic + ethernet access) for the users that connect via wireless, or since they provide the right credentials, they will be assigned to the correct VLAN (the AP does know about VLANS)?
3. In case of visitors, can i have a MAC access rule that will put the port into the Guest VLAN?
p.s. I know its long, but i am sure that a solution to this will provide answers to many people.
Solved! Go to Solution.
3 REPLIES 3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-18-2006 05:09 AM
тАО08-18-2006 05:09 AM
Solution
Hi
What ever it was long, you always can find your answers here :)
First its a nice setup, specially the integration between 802.1x , RADIUS and Windows Active Directory, and now for your answers :
1- For sure you can configure that, and they call it MAC-based authorization.
2- Since you want a 802.1X solutions, then the RADIUS server can be used to assign ports to VLANs based on authentication and RADIUS attributes.
3- I think Visitor's MAC address is a headache solution, sepcially administration of port security based on MAC addresses.
And Since you don├в t know whether the visitors will have a compatible 802.1X supplicant on their laptops, you need to find a way to provide them access without completely opening the ports on the switches.
I think using Web Authentication will more effecient here, and this will allow visitors without 802.1X supplicants to gain access to the Internet using a guest account on your RADIUS server.
Good Luck !!!
What ever it was long, you always can find your answers here :)
First its a nice setup, specially the integration between 802.1x , RADIUS and Windows Active Directory, and now for your answers :
1- For sure you can configure that, and they call it MAC-based authorization.
2- Since you want a 802.1X solutions, then the RADIUS server can be used to assign ports to VLANs based on authentication and RADIUS attributes.
3- I think Visitor's MAC address is a headache solution, sepcially administration of port security based on MAC addresses.
And Since you don├в t know whether the visitors will have a compatible 802.1X supplicant on their laptops, you need to find a way to provide them access without completely opening the ports on the switches.
I think using Web Authentication will more effecient here, and this will allow visitors without 802.1X supplicants to gain access to the Internet using a guest account on your RADIUS server.
Good Luck !!!
Science for Everyone
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-18-2006 06:22 AM
тАО08-18-2006 06:22 AM
Re: Some design tip
Yes, i agree the web authentication would be great, unfortunately it can not run on the same ports 802.1x does....i was also thinking into adding each new visitor into some guest group in AD, but i do not know if the visitor will be presented with a login window when he plugs into the network, since its computer will not be part of AD.
I know that in theory many things can be done, but i want some reassuring before starting, because i only have a weekend to do all the changes, and no test ground. Whatever i do, it will be directly into production.
I specifically want to know if someone before used 802.1x authentication while having plugged into the switch additional AP, with several other users. Does the VLAN dynamic assignment work in that particular case, or all the clients connected to the same port will have to share the same untagged VLAN?
I know that in theory many things can be done, but i want some reassuring before starting, because i only have a weekend to do all the changes, and no test ground. Whatever i do, it will be directly into production.
I specifically want to know if someone before used 802.1x authentication while having plugged into the switch additional AP, with several other users. Does the VLAN dynamic assignment work in that particular case, or all the clients connected to the same port will have to share the same untagged VLAN?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-18-2006 04:43 PM
тАО08-18-2006 04:43 PM
Re: Some design tip
Hi
Check http://www.hp.com/rnd/support/config_examples/secure-access-wireless.htm
after eleminating the Secure Access Contoller.
Good Luck !!!
Check http://www.hp.com/rnd/support/config_examples/secure-access-wireless.htm
after eleminating the Secure Access Contoller.
Good Luck !!!
Science for Everyone
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP