HPE Community
Switches, Hubs, and Modems
1753448 Members
5200 Online
108794 Solutions
New Discussion юеВ

Some design tip

 
SOLVED
Go to solution
Ionut Andrei
Occasional Contributor

тАО08-18-2006 02:02 AM

тАО08-18-2006 02:02 AM

Some design tip

I have a network on two floors, each floor having 2650 switches. To the 2650 are connected workstations and AP's. The 2650 go into a layer three 2824. In the same 2824 i also have the domain controller with IAS RADIUS server installed.
I want to have 802.1x authentication over the network.
I also want dynamic VLANS based on the credentials the users give. For each VLAN, the DHCP will provide a different subnet address, based on which a firewall will provide different levels of access.
For the case of guest visitors, i want authentication based on MAC address, which will be temporarly provided by the network admin. The guests will be assigned to a guest VLAN, with restricted access.

I need some confirmations for the following configuration:

1. All the 2650 ports will be assgined 802.1x authentication, blocking by default all non authenticated users.
2. The 2650 port in which the AP's are plugged will be tagged with all the VLANS from the switch. The question is, do i need some special access policy defined on the IAS ( there is an option for all 802 traffic + ethernet access) for the users that connect via wireless, or since they provide the right credentials, they will be assigned to the correct VLAN (the AP does know about VLANS)?
3. In case of visitors, can i have a MAC access rule that will put the port into the Guest VLAN?

p.s. I know its long, but i am sure that a solution to this will provide answers to many people.
0 Kudos
3 REPLIES 3
Mohieddin Kharnoub
Honored Contributor

тАО08-18-2006 05:09 AM

тАО08-18-2006 05:09 AM

Solution

Re: Some design tip

Hi

What ever it was long, you always can find your answers here :)

First its a nice setup, specially the integration between 802.1x , RADIUS and Windows Active Directory, and now for your answers :

1- For sure you can configure that, and they call it MAC-based authorization.
2- Since you want a 802.1X solutions, then the RADIUS server can be used to assign ports to VLANs based on authentication and RADIUS attributes.
3- I think Visitor's MAC address is a headache solution, sepcially administration of port security based on MAC addresses.

And Since you don├в t know whether the visitors will have a compatible 802.1X supplicant on their laptops, you need to find a way to provide them access without completely opening the ports on the switches.

I think using Web Authentication will more effecient here, and this will allow visitors without 802.1X supplicants to gain access to the Internet using a guest account on your RADIUS server.

Good Luck !!!
Science for Everyone
Ionut Andrei
Occasional Contributor

тАО08-18-2006 06:22 AM

тАО08-18-2006 06:22 AM

Re: Some design tip

Yes, i agree the web authentication would be great, unfortunately it can not run on the same ports 802.1x does....i was also thinking into adding each new visitor into some guest group in AD, but i do not know if the visitor will be presented with a login window when he plugs into the network, since its computer will not be part of AD.

I know that in theory many things can be done, but i want some reassuring before starting, because i only have a weekend to do all the changes, and no test ground. Whatever i do, it will be directly into production.
I specifically want to know if someone before used 802.1x authentication while having plugged into the switch additional AP, with several other users. Does the VLAN dynamic assignment work in that particular case, or all the clients connected to the same port will have to share the same untagged VLAN?
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО08-18-2006 04:43 PM

тАО08-18-2006 04:43 PM

Re: Some design tip

Hi

Check http://www.hp.com/rnd/support/config_examples/secure-access-wireless.htm

after eleminating the Secure Access Contoller.

Good Luck !!!
Science for Everyone
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.