Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
P
P
paralon2012-12-25 09:04:19
Computer networks
paralon, 2012-12-25 09:04:19

Does it make sense to implement 802.1x in an office grid?

Greetings, dear ones!
Prerequisites
There are several thousand users. Users are divided into "teams". Each team has its own specific access both to the resources of other teams, and access outside or in the DMZ.
This is implemented by allocating a VLAN to a team and placing members of a specific team in their own VLAN. The latter is terminated on the L3 distribution-kernel device (in the sense of functions combined in one). On each of these SVIs, respectively, ACL, which regulates where users can or cannot go.
Problem
If the user moves, and this happens often (and sometimes with entire teams), then it usually ends up in a "foreign" VLAN, because the IT service is not warned about the move. Getting in the wrong place, respectively, all accesses are lost, work is slowed down, applications are pouring in, and so on.
Task
To proactively solve this problem. It is clear that it is possible (and most likely necessary) to decide administratively, but circumstances force us to decide technically.
Possible solution
Use 802.1x with domain authorization. First (before authorization), the user's station enters the VLAN sandbox, from where RADIUS is available, for example. Next, the user is authorized, the necessary VLAN is assigned to his port, all accesses and happiness. Not logged in - gets into the guest network.
Questions to the community
Is it possible at all how I imagined it? Has anyone done this? What are the pros and cons?
Thank you.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
J
JDima, 2012-12-25
@paralon

It is implemented in this form and IMHO it is quite expedient in your case. Moreover, there are advanced solutions on this topic: ISE. There you can also make sure that if the antivirus is not updated on the computer or the latest patches are not installed, there will be no access except to the update servers. And in general, one of the authentication factors will be a computer: you won’t be able to bring a personal laptop, plug it into the network and drive your credentials or certificate into .1x. Well, ACLs can be set not on SVI, but directly on the user's port. Automatically. Loaded or pre-driven into the global configuration.

Report
S
Sergey, 2012-12-25
@bondbig

Implemented a long time ago, it has various names - network access control, network admission control, network access protection, and so on. Many manufacturers have it, the cisco used to be called Cisco NAC, now the more advanced version is called ISE, as suggested above. Symantec, checkpoint, even MS have it built in since Server 2008 and Win7 (MS NAP).

Report
N
Nikolai Turnaviotov, 2012-12-25
@foxmuldercp

MS NAP, with Cisco ACS can be done, works in Xp, Win7 / 8, most likely in Linux. Even some network printers can work. If sane Wifi - then there too

Report
F
f0x_m, 2017-04-27
@f0x_m

Has the meaning. Very comfortably.

Similar questions
H
HoHsi2016-08-10 21:31:08
How to set up networking in Docker? 0Reply
E
EvdokarovValerii2014-07-23 18:32:07
Which wireless network equipment to choose? 4Reply
K
koi com2014-07-24 15:55:22
What to read on the front-end'u? 5Reply
M
MIsternik2014-07-25 10:59:05
What are dictionary services with api? 1Reply
T
tr1ck2014-07-25 14:00:47
Why does it kick me out of the internet when I sign in to skype? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question