Re: per user vlan and 802.1X

From: Walter Roberson <roberson_at_ibd.nrc-cnrc.gc.ca>
Date: 12 Jun 2003 19:13:17 GMT

In article <39237N375_at_web2news.com>,
ala <niala.news.invalid_at_web2news.net> wrote:
:Can i put a user in a vlan with catalyst 29,35 and 802.1X auhent?
:Do i need specific cli in catalyst? i.e something like switchport
:dynamic or dot1x cli ?
:do i have to config aaa authorization on catalyst ?
:which radius server support vlan attributes (win 2000, ACS ver 3.2 ..?)

Sorry, I seem to be having a lot of trouble understanding the question as phrased.

Do I understand correctly that you want a layer 2 device (the 2900 or 3500 series switches) to do some kind of RADIUS-based user identification, and have the RADIUS server return information about which 802.1q VLAN number to use?

If that is the goal, then I don't know if it could be done (I tend not to follow the latest developments on the switch software), but I would tend to strongly doubt it. It raises too many questions in my mind:

• how do you do user authentication before you have had at least one ftp, telnet, http, or https request? Those are the only protocols that are usually supported for prompting for credentials.
• how would a layer 2 switch determine that a layer 4 protocol such as ftp, telnet, http, or https was in use in order to issue a credential prompt?
• how do you handle the fact that there might be quite a few "users" simultaneously at any particular MAC address? -- Whose posting was this .signature Google'd from?

Received on Thu Jun 12 2003 - 12:13:17 PDT