02-10-2012 09:28 AM
At Brandeis we are lucky to have a home grown network registration system that offers some interesting outputs. One method of interacting with the registration system is through RADIUS. We use free radius and the optional SQL backend to connect to our database of registered MAC addresses. This system also allows us to return VSA attributes from RADIUS based on information given when the device was registered. For example we can assign a game device role to game consoles or a printer role to printers.
One fun fact about Brandeis is that all of our devices are publicly addressed. That means that anytihng connected to our network is accessible WORLD WIDE!! Great for research and connectivity, but it makes for interesting security issues.
A large part in our choice to use the S3500 as our edge was its ability to interface with external services for user identification and role assignment. One way the S3500 can do this is through MAC authentication to a RADIUS server. For anyone who has configured Aruba wireless this is plainly simple. The magic for us is that this is now completely extensible for ANY device on our wired network. In the example below I show how a user registers a printer and the printer assumes a restrictive role. Howver we can now use this for ANY device, like AP's to assign an AP VLAN, or user devices into high security VLAN's
Pretty cool stuff!