Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
I
I
ITF2019-07-08 16:25:55
System administration
ITF, 2019-07-08 16:25:55

How to implement obtaining an IP address depending on user authorization?

There is a Win2012R2 server - AD, DNS, DHCP.
Users are brought in, areas for issuance by subnets (hereinafter VLAN) are clogged in DHCP, for example, there are 3 of them:
1. 192.168.1.0/24 - Clients
2. 192.168.2.0/24 - Employees
3. 192.168.3.0/24 - All the rest.
What needs to be screwed up so that a user with membership in the "Clients" group gets into the first subnet, and with membership "Employees" into the second, and computers that are simply connected to the network into the third (the default network, before authorization)?
I raised a second server with the NPS (Network Protection Service) role on Hyper-V, but according to the policies that are there, I did not see the binding to users.
Correctly I understand that it is necessary to watch a bunch of DHCP NAP?
Or there is, for example, NAP + 802.1x (cable) - I suspect that the Radius server is also screwed on and the distribution goes at the hardware level, with port tagging.
Most of the NPS tutorial videos don't go very far, just "click next, next, next, done" without much explanation for what or why. In text form, they seem outdated, 2008-2012. The
initial task sounds like this:
It is necessary that the user, no matter what network outlet he plugs into, or from whatever computer he comes in, gets into his VLAN (by his routes, access to internal resources on network layer). Left computers or unknown devices would simply hang in their network (which would actually be quietly monitored by network scanning).
Where can I use it. For example, there is an accounting office. The ports for this cabinet are tagged on the hardware, i.e. no matter how you dilute the office with hubs - everyone will be on the same network, and there is a clear understanding that this is an accountant.
And the general office, employees of different departments can sit there - an accountant, a manager. With your working laptop (brought into the domain) or borrow from colleagues (the same brought into the domain). And in fact, they should not intersect on the network, the only way to determine who is who is the account. A client (not logged into the domain) may be in the same office, who needs to work for 40 minutes and, in addition to accessing the network of printers or the Internet, does not let him go anywhere else.
Can anyone actually chew on their fingers how to implement this and where to dig for details?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
T
TyzhSysAdmin, 2019-07-08
@ITF

For this, in principle, 802.1x was invented :)
https://habr.com/ru/post/138889/

Report
M
mikes, 2019-07-09
@mikes

managed switch + windows NPS (or any other RADIUS) + vlan assignment to user groups.
untagged vlan on ports will be dynamically assigned depending on the user (or computer) belonging to a group in AD

Similar questions
V
Vitaly Kuz2020-04-15 20:52:43
BIOS does not see Acer Aspire C24-865 boot disks? 4Reply
S
stvorl2020-04-16 00:06:43
Disk replication via DRBD over a slow network, or another solution? 5Reply
L
lolowin322020-04-16 16:20:37
How to allow a standard user to login via Remote Desktop Service on Windows 7 Home? 2Reply
E
ettaluni2021-06-09 21:45:03
What are the ways to install the application in silent\automatically? 2Reply
S
Sergey Nikolaev2015-09-29 19:39:31
How to properly run Pm2 from Ubuntu/Linux? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question