On May 5, 2015, at 3:42 , mourik jan heupink <heup...@gmail.com> wrote: > I understand now, that each time a device boots, the complete > authentication sequence you explained is followed, and also the 802.1x > authentication is done using the credentials of the _enduser_?
That depends on the way the supplicant is configured. E.g. Windows can be configured to authenticate using computer credentials or user credentials. > This would mean that on each boot, they are required to provide > credentials twice? First to 'activate' the switch port, then to logon to > their OS..? No. Usually that is automatically handled by the OS and supplicant and is invisible to the user. > > This would mean that we would no longer be able to send a WOL packet at > night to the workstations, make it boot, update stuff, and then shutdown > again, right? (as the switch port would remain closed) I don’t see why not. See here for a (Cisco) example of 802.1x with WoL: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/sw8021x.html#wp1196863 > > Also, many people here startup their workstation, get a coffee while it > boots and updates software (using GPO policies configured to run at > system startup). But since the switch port would still be closed, they > would come back with coffee, to find a logon request for the 802.1x > authentication... Logon..and only THEN the updates would take place. > No. Using Windows as an example what really happens is that soon after booting the machine will authenticate using computer credentials. Radius can then place them into a VLAN where the required resources are available. The supplicant will reauthenticate (automatically) when the user logs in and radius will then place them in their authorized VLAN, which could be the same as the computer authorized one or different. > Only when a unknown mac address appears on a port, packetfence would > come in with the captive portal. Forget MACs. They can easily be spoofed and tell you nothing about who is actually using the connecting device. I suggest you start playing with RADIUS. This stuff will start making sense when you have more experience with it. It’s the way of the future. Actually, it may already be getting old at this point. RADIUS is 20 years old and can legally drink in many places. Regards, -- Louis Munro lmu...@inverse.ca :: www.inverse.ca +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
