Comware

OK, So our ever so friendly HP rep cam in today and gave us alot of great information, and answered a few lingering questions we had.

One thing we talked about was port based authentication.

I'm not really looking for how to do it, i just want to know what I need to read, and to make sure i am researching the correct things.

We talked about a machine receiving a certificate to logon. The certificate will make sure the pc can get onto the network prior to a user loggin in so any computer gpo settings will be allowed to happen, as these happen before a user logs in.
What is this part called?

Once the machine has a certificate, it can be on the network, untill a user logs in. Once that user logs in it authenticates to a RADIUS (Is this correct) server, where the radius server and the DHCP server work together to give the client it's new IP and assign that port to the proper vlan based on the user name.

Basically we want it so that any port is useless unless, the hardware holds a certificate, and once logged on, the port is re-assigned a vlan and the proper ip corrisponding with that vlan... This will keep anyone from simply unplugging their pc and plugging in to get high speed internet, and meet a security concern.

Just looking for reading material and key words so i know what top specifically pay attention to.

Thanks Guy's

Hi psycho.chicken,

I believe you are asking about IEEE 802.1AE Media Access Control Security or MACSec.

http://en.wikipedia.org/wiki/802.1ae

As it is a rather new standard, you would have to purchase it from IEEE.

Probably your best approach will be to Google 802.1ae or MACSec.

Lastly, depending on what your needs are, you also have the option of IEEE 802.1x.

http://en.wikipedia.org/wiki/802.1x

Hope this helps,
Dennis

Sorry, I didn't answer your question, did I? :-)

I'm just now reading through the spec to better understand the protocol. It looks like the protocol itself is not responsible for differentiating between the rights of a machine account vs. the rights of an authenticating user. So, what your probably asking for is the definition of this transition step where the OS is providing an extensible solution on top of the protocol. Is this true?

He talked about the computer receiving a certificate. Once teh computer receives the certificate it can boot up, and belong to the network, on a temp vlan that will give it access to domain needs... This will allow the pc to receive computer based group policies...

Once user JCOOL sits down and logs in, the computer reauthenticates to the switch as jcool, jcool authenticated to the radius server and puts him in his correct vlan based on his username.

I know it can be done, i just dont remember what the authentication names are...
There are two steps to authentication here...
the first is by a certificate issued by our CA, which would have to be manually installed on all PC's at first...
The second is based on the user.

This will keep peopl from unplugging the PC and plugging in their laptop and abusing our bandwidth...

Ok, this sounds more like 802.1x. Yes, it can be configured to use a "Guest" vlan by default. This is where you would need to make sure your machine can access the DC for policy updates.

There is lots of info on the web for working with 802.1x. Most importanly, your switch has to support it as well as your NIC.

RADIUS and/or TACACS are the two services most commonly used to do authentication, etc.

This might be a good place to start, assuming your in a Windows XP environment:

http://www.stevens.edu/itwiki/cgi-bin/wiki/index.php?title=802.1x

Take a look at the section: Facts on Using 802.1x with Protected EAP

Hope this is closer to the mark.
Dennis