Answer the question
In order to leave comments, you need to log in
Does it make sense to implement 802.1x in an office grid?
Greetings, dear ones!
Prerequisites
There are several thousand users. Users are divided into "teams". Each team has its own specific access both to the resources of other teams, and access outside or in the DMZ.
This is implemented by allocating a VLAN to a team and placing members of a specific team in their own VLAN. The latter is terminated on the L3 distribution-kernel device (in the sense of functions combined in one). On each of these SVIs, respectively, ACL, which regulates where users can or cannot go.
Problem
If the user moves, and this happens often (and sometimes with entire teams), then it usually ends up in a "foreign" VLAN, because the IT service is not warned about the move. Getting in the wrong place, respectively, all accesses are lost, work is slowed down, applications are pouring in, and so on.
Task
To proactively solve this problem. It is clear that it is possible (and most likely necessary) to decide administratively, but circumstances force us to decide technically.
Possible solution
Use 802.1x with domain authorization. First (before authorization), the user's station enters the VLAN sandbox, from where RADIUS is available, for example. Next, the user is authorized, the necessary VLAN is assigned to his port, all accesses and happiness. Not logged in - gets into the guest network.
Questions to the community
Is it possible at all how I imagined it? Has anyone done this? What are the pros and cons?
Thank you.
Answer the question
In order to leave comments, you need to log in
It is implemented in this form and IMHO it is quite expedient in your case. Moreover, there are advanced solutions on this topic: ISE. There you can also make sure that if the antivirus is not updated on the computer or the latest patches are not installed, there will be no access except to the update servers. And in general, one of the authentication factors will be a computer: you won’t be able to bring a personal laptop, plug it into the network and drive your credentials or certificate into .1x. Well, ACLs can be set not on SVI, but directly on the user's port. Automatically. Loaded or pre-driven into the global configuration.
Implemented a long time ago, it has various names - network access control, network admission control, network access protection, and so on. Many manufacturers have it, the cisco used to be called Cisco NAC, now the more advanced version is called ISE, as suggested above. Symantec, checkpoint, even MS have it built in since Server 2008 and Win7 (MS NAP).
MS NAP, with Cisco ACS can be done, works in Xp, Win7 / 8, most likely in Linux. Even some network printers can work. If sane Wifi - then there too
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question