Hi, > > 1) authenticate access to the network from Open Public Access Catalog > > (OPAC) desktop machines available to every user of a biblioteque. > > OPAC? That must be term local to your site. I don't know what it means.
we have OPACs too - i think its a term derived from the world of librarians and therefore alien to most ;-) > > 2) have a guest account with limited LAN access (no access to internet, > > or just a very short whitelist) > > 3) Keep the machines reachable from some servers (ghost server, > > monitoring, etc). (this criteria eliminates the solution of a captive > > portal) > > It's hard to setup guest access without a captive portal. > > > I thought 802.1x with dynamic vlans would be a nice solution as it > > should permit to put the guest account in a specific vlan. > > Maybe. Do the client machines do 802.1X? How will they get a > username/password for authentication? I would say use something like pGina for authentication - there are several plugins that allow the window login to become RADIUS enabled - set the default/guest/failed-802.1x VLAN to be very limited (so that the systems can only talk to your patching/monitor servers and to the RADIUS server), then, upon successful login the devices can be bumped to a relevant 802.1X network - for local folk or for visitors. > It won't be possible. If you've configured 802.1X, there will be no > network available until after authentication happens. most NAS devices have ideas of 'guest' networks that are given if the port is not in an authenticated state - indeed, latest cisco firmwares allow traffic to pass TO the client (handy for WoL!) ...but not from the client a simpler method would be ye olde captive portal - with ebtables/iptables - iptables then 'opened up' after a real user has logged into the captive portal...otherwise limited to just your management servers alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
