Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Wired User Authentication Question

This thread has been viewed 0 times

  • 1.  Wired User Authentication Question

    Posted Nov 29, 2016 11:18 PM

    Hypothetical situation:

     

    VLAN 100 comes into controller, wired, from a secure DMZ. Wired Users on VLAN 100 need access to VLANs 200, 300 & 400 that live (meaning routed by) on the controller. 

     

    What would be the best way to make said wired users authenticate and then be placed in a role with the specific VLAN access they need?

     

    As always, thanks for any assistance :-)

     



  • 2.  RE: Wired User Authentication Question

    EMPLOYEE
    Posted Nov 30, 2016 06:36 AM

    At the most basic level, on the controller, you would make the VLAN untrusted.  The users coming in on a specific VLAN would get the captive portal.  I cannot tell of the scope of what you are trying to do from your email, but what you do from here depends on that.



  • 3.  RE: Wired User Authentication Question

    Posted Nov 30, 2016 08:13 PM

    Could this be done, say, with a dot1x authentication request instead of a captive portal? Then, with clearpass, place the user in a specific role?

     

     



  • 4.  RE: Wired User Authentication Question

    EMPLOYEE
    Posted Nov 30, 2016 09:24 PM

    EAPOL or 802.1x traffic is "link local" , which means the first switch in the chain needs to do something with the frame or discard it.  In other words, wired 802.1x does not work well unless the device is directly connected to the switch that is the doing the 802.1x authentication...