Security Basics mailing list archives

Re: Dynamically assign a computer in a VLAN

From: <shankarnarayan.d () netsol co in>
Date: 21 Apr 2005 09:03:13 -0000

In-Reply-To: <42666534.9080803 () laposte net>

This can be done using Cisco's IBNS (Identity Based Networking Services) concept. The same works based on user-name
and password. Assume three components - the Client (a Laptop/ Desktop etc), a Switch and an Access Control Server
(ACS). The Switch has a Radius Client and the ACS is a "Cisco ACS3.x" RADIUS Server. You configure the policies and
Authorization parameters on the ACS (and can even link the same to ADS).

When the Client logs into the Workstation, the client is asked to pass his authentication credentials - the credentials
could include his user name and password/ additionally, digital certificates etc.
The Primary concept behind this is EAP based authentication (using AAA server) and AAA based authorization.

Two points to remember............MAC address cannot be a criteria in assigning one to a VLAN. Second, as of my
knowledge, this will now restrict you to a Cisco only solution. We have implemented this for a BPO where agents (as
they are called) can use any Desktop and based on their user credentials are automatically put into the respective
VLAN. The Cisco ACS and Switch interact to automatically put the port into that VLAN. Such a functionality is available
only for specific Cisco Switches

If MAC address is critical for you then get onto trying to put MAC based filters manually (manually is a critical word
here) on the Switch. My knowledge says VMPS (assuming you still have such a setup)cannot be used with IBNS - someone
can correct me if I am wrong on this point

Additionally, if you could expand on what you call a trusted VLAN...... Hope this helps

Shankar


Hi everyone,

We want to assign dynamically a Workstation or Laptop in a "trusted"  
VLAN, after authentication based on username, password and mac address.
I know we can assign a computer to a VLAN with its mac address with 
VMPS. Can RADIUS or TACACS do the same, added with username/password 
authentication ?

Thanks all for your answers.

Mathieu Rinck

Current thread:

Dynamically assign a computer in a VLAN Mathieu RINCK (Apr 20)
- Re: Dynamically assign a computer in a VLAN Oleksandr Darchuk (Apr 21)
- Re: Dynamically assign a computer in a VLAN Rodrigo Blanco (Apr 21)
- <Possible follow-ups>
- Re: Dynamically assign a computer in a VLAN shankarnarayan.d (Apr 21)