Hi Louis, Thanks very much. My witch will arrive next week. As soon as I have it, I'll start playing around with radius / packetfence / procurve5400.
I guess, as you say, things will become much more concrete then. Again, you are a great help, thanks! MJ On 05/05/2015 02:58 PM, Louis Munro wrote: > > On May 5, 2015, at 3:42 , mourik jan heupink <heup...@gmail.com> wrote: >> I understand now, that each time a device boots, the complete >> authentication sequence you explained is followed, and also the 802.1x >> authentication is done using the credentials of the _enduser_? > > That depends on the way the supplicant is configured. > E.g. Windows can be configured to authenticate using computer credentials or > user credentials. > > >> This would mean that on each boot, they are required to provide >> credentials twice? First to 'activate' the switch port, then to logon to >> their OS..? > > No. Usually that is automatically handled by the OS and supplicant and is > invisible to the user. > > >> >> This would mean that we would no longer be able to send a WOL packet at >> night to the workstations, make it boot, update stuff, and then shutdown >> again, right? (as the switch port would remain closed) > > I don’t see why not. > See here for a (Cisco) example of 802.1x with WoL: > http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/sw8021x.html#wp1196863 > >> >> Also, many people here startup their workstation, get a coffee while it >> boots and updates software (using GPO policies configured to run at >> system startup). But since the switch port would still be closed, they >> would come back with coffee, to find a logon request for the 802.1x >> authentication... Logon..and only THEN the updates would take place. >> > > No. Using Windows as an example what really happens is that soon after > booting the machine will authenticate using computer credentials. > Radius can then place them into a VLAN where the required resources are > available. > The supplicant will reauthenticate (automatically) when the user logs in and > radius will then place them in their authorized VLAN, which could be the same > as the computer authorized one or different. > > >> Only when a unknown mac address appears on a port, packetfence would >> come in with the captive portal. > > > Forget MACs. They can easily be spoofed and tell you nothing about who is > actually using the connecting device. > > I suggest you start playing with RADIUS. > This stuff will start making sense when you have more experience with it. > It’s the way of the future. > Actually, it may already be getting old at this point. > RADIUS is 20 years old and can legally drink in many places. > > Regards, > -- > Louis Munro > lmu...@inverse.ca :: www.inverse.ca > +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
