Re: Dynamic VLAN-Assignment in a large Network

As with all larger IT projects, this comes down to planning and design. You
really need to gather your exact requirements and the capabilities of your
existing gear.

Generally devices that don't support 802.1X should be attached to switch
ports that are statically assigned to VLANs that are highly controlled using
router ACLs or firewalls. Only allow SIP traffic in and out of the VLAN if
its going to or from the address of a SIP server. port 9100 only in and out
from the printers to the print servers. This significantly reduces the
value of the port to someone who plugs into it. As for phones and PCs
sharing the same port, your options are entirely based on what the switch
vendor gives you.

Depending on how your trunking and VLANs are configured, you can use
additional sets of IAS servers with different connection policies for
different switches.

Also, remember that if you are using IAS on 2003 , you can use regular
expressions. You might use them to parse the MAC addresses and assign those
belonging to VoIP phones to the phone VLAN. This of course is not about
security, but about usability. The VLAN should be ACLed to only pass VoIP
traffic.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/e9a30a60-7f8b-435f-b210-d47c3b7ecb96.mspx

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/41f30bc9-b444-46b1-a62a-34b03ef4ee58.mspx

Cheers,

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"Chris Hills" <chills@xxxxxxxxxxxxxx> wrote in message
news:%23Ll8tsObFHA.720@xxxxxxxxxxxxxxxxxxxxxxx
> bt_hirosaito@xxxxxx wrote:
>> Hi Chris,
>>
>> I also thought about a database with some information of the users that
>> each user can be set into the right vlan. But how can this database
>> interact with the IAS ? Where can i set it up ?
>
> Hmm, this is quite a quandry. In an ideal world, you would use group
> membership information to determine the vlan. IAS does not support
> post-authentication hooks. The idea I have in my head is to use an
> additional RADIUS server such as Radiator, which would be reliant on
> Radiator being able to determine the group membership of the credentials
> supplied by the supplicant. I believe this is possible to do using Active
> Directory as the authentication provider.
>
>> Cause we already got such a database where all the credentials of the
>> machines are in. MAC, Device-Label, Owner etc. At the moment we use
>> that for our DHCP-Server. Only devices from this database can get
>> IP-Addresses. It references on the MAC-Address in the Database.
>>
>>
>> Cause my boss wants me to manage that every single employee gets his
>> right VLAN doesn´t matter where he connects to the LAN in the whole
>> company.
>>
>> And we got about 50 VLANs only in Erlangen here and many other at the
>> other sites. So it will be very hard to keep the database up to date.
>>
>> IP-Phones and printers etc. are another problem. At most of our
>> workplaces we only got 1 LAN-cable. So the IP-Phone and the PC are
>> connected to the same Switchport. And our Siemens IP-Phones don´t
>> support 802.1x yet.
>> So the Phone will only be online when the PC already authenticated
>> successfully...
>
> We use Optipoint phones here. The fact that computers are daisy chained
> off them did not occur to me, and adds an additional difficulty. Our
> switches support 802.1x for multiple devices attached to the same port,
> though how on earth that works with multiple vlans i have no idea.
>
>> Guest-VLAN is also quite critical. Cause if all the printers and
>> devices without dot1x-compatibility are put into this VLAN an intruder
>> will have access to some network components which are needed by these
>> devices. So maybe this is a point where an intrusion might be quite
>> easy to accomplish.
>>
>
> Agreed, however systems based upon mac addresses are inherently insecure
> because of the ease with which mac addresses can be changed. I suppose the
> only way around this is to encourage manufacturers to support 802.1x in
> their devices. Perhaps they could implement simple certificate enrollment
> protocol to help speed the provisioning.
>
>
> --
> Chris Hills
> IT Services
> North East Worcestershire College


.

Relevant Pages

  • Re: Help with Vlan passthru for phones to another switch on Cisco Catalyst 3750
    ... If you want to pass VLANs from one switch to another, ... Cisco IP Phones. ... configured on the port. ... Vlan not my data Vlan. ...
    (comp.dcom.sys.cisco)
  • Re: Dynamic VLAN-Assignment in a large Network
    ... But how can this database ... membership information to determine the vlan. ... And our Siemens IP-Phones don´t support 802.1x yet. ... Our switches support 802.1x for multiple devices attached to the same port, though how on earth that works with multiple vlans i have no idea. ...
    (microsoft.public.internet.radius)
  • Re: Dynamic VLAN-Assignment in a large Network
    ... each user can be set into the right vlan. ... But how can this database ... IP-Phones and printers etc. are another problem. ...
    (microsoft.public.internet.radius)
  • Re: ERS 8600, simple setup, IP, VLANs, etc.
    ... management port is just used to hang an IP address to. ... associated with an interface, such as a VLAN. ... fairly functionally homogenous network), but something that is ... or OS virtuallization - except that networks have been doing this kind of ...
    (comp.dcom.sys.nortel)
  • RE: IPS and Trunking
    ... 3Com/TippingPoint Intrusion Prevention Systems ... Supported VLAN ... I don't know what vendors support this capability, but it is certainly supported by Cisco sensors. ... You can plug an interface on a Cisco IPS sensor into a trunk port, and the sensor can treat each VLAN on the trunk separately. ...
    (Focus-IDS)