Hi there,
I need to segment my company flat network. My plan is to segment the existing network into Layer2 sub-networks (aka VLANs) at a organizational level (HR, dev, network services, etc.). The infrastructure is very heterogeneous with mainly Linux machines, but also Windows, some Macs, IP phones, network printers, VMs, Dockers, etc.
I want to avoid static/port-based VLAN and go for a solution as dynamic as possible. A MAC based VLAN assignment is desired as we, IT dpt, already have a MAC addresses list. A big requirement is also no (or minimal) user-side configuration. This mainly to reduce user support and troubles.
For now I would use 802.1x. My plan is to have a RADIUS server (FreeRADIUS) doing the MAC authorization and VLAN assignment. But on one side it collides with our no-user-config desire as the supplicant must be configured (at least activating 802.1x on endpoints). I also thought about using MAC access list on our managed switches which is, for me, less flexible and harder to maintain.
It seems that no one on the internet have set up a 802.1x MAC-based authorization and I wanted to gather implementations ideas on this. Have you ever set up a MAC-based authentication ? With 802.1x ? Is 802.1x good for MAC-based authorization ? What was your deployment plan ? What difficulties have you encountered ? Do other MAC-based host authentication methods exist ?
I know it's a lot of questions but I'm looking for cases, ideas and ways to implement such a solution; I'm not asking for a ready-to-go one.
Kind regards
Note: I'm aware that MAC-based authorization is not the best secured way to authenticate hosts. However, using 802.1x and RADIUS allows to easily change the authentication method if needed one day
No comments:
Post a Comment