Wired 802.1x Machine/User Authentication

Hash: SHA1


Some background info first:
I'm working on a wired 802.1x project in which I automatically assign
per-user VLAN's and ACL's based on RADIUS user group profiles.  Machines
and Users are all authenticated as individual security principles.  MS
Windows 802.1x settings allow for a workstation to login automatically
with it's own domain credentials prior to any user logging on.  However,
once the user logs in, this initiates a reauthentication event with the
interactive users NT credentials.  Based on the authentication result, I
can assign to the switch port additional ACL's, change the VLAN
dynamically, or simply keep things the same but I have detailed logs of
who/what is logging in where.

I am looking to do the same thing with NetworkManager.  I would like to
configure the workstation to automatically authenticate with one
particular authentication method prior to a user logging in (e.g.
EAP-TTLS, EAP-PEAP, etc), but I want a user to be able to use their
personalized NetworkManager 802.1x profile to reauthenticate after
desktop access.

- From my previous experience with xsupplicant/wpa_supplicant and NM, I
can configure /etc/network/interfaces with static 802.1x settings to
accomplish machine authentication.  However, this would disable a users
ability to reauthenticate using NM, as NM would detect a manual
configuration in place and not allow any per user settings.  Does this
still hold true, or is there a way to work around this limitation?

I have currently only been using NM 0.6.6 which is included with Ubuntu
8.04 Hardy.  Not sure if later releases have made this possible.

Many thanks in advance for your input.

- --

Gilbert Mendoza
PGP: 0x075DBCA9
Email: gmendoza at gmail.com

Version: GnuPG v1.4.6 (GNU/Linux)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]