We are currently using a policy specifically created for machines that have been authenticated to the domain to only allow the required ports for doing initial authentication for AD. I am using Microsoft IAS/RADIUS and pointing to the built-in domain computers group (where all machines that are added to a windows domain get placed). It makes the management process very easy by not having to manually add machines. The benefit of this is for users that have never logged into a machine are able to be authenticated. Matt Clark
IT Infrastructure Manager Pinal County Information Technology Office: 520.866.6650 | Mobile: 520.705.1575 | FAX: 520.866.2911 Please take a moment to fill out the survey regarding this inquiry / experience with our department. http://pinalcountyaz.gov/Departments/InformationTechnology/Surveys/NetworkInfrastructure-CustomerSurvey.aspx >>> From: "Lou H. Goddard" <[email protected]> To:"Enterasys Customer Mailing List" <[email protected]> Date: 12/16/2011 8:02 AM Subject: RE: [enterasys] Setting VLAN egress based on AD group membership Yup! Much like a base model sedan compared to one with navi, traction control, etc... Before the user logs into the workstation, I suppose the workstation will have to authenticate with its machine account and get put into a VLAN that has access to the DC in order to validate the user's logon credentials. Or would a deployment like this just have an unauthenticated VLAN at the edge that only allows the minimum traffic required for Windows authentication? Thanks, Lou Goddard Network Engineer 302-552-8053 [email protected] From: "Nispel, Markus" <[email protected]> Sent: Fri, 12/16/2011 9:51am To: Enterasys Customer Mailing List <[email protected]> Subject: RE: [enterasys] Setting VLAN egress based on AD group membership That is also true. if you also want some more features like Guest Access, MAC Registration, Endsystem tracking, Device Profiling (Type & OS Detect) etc then NAC does have advantages vs. plain RADIUS server. We use slackware today and migrate to ubuntu. Regards Markus From: Lou H. Goddard [mailto:[email protected]] Sent: Freitag, 16. Dezember 2011 15:47 To: Enterasys Customer Mailing List Subject: RE: [enterasys] Setting VLAN egress based on AD group membership "our NAC appliance can act as a RADIUS server and map LDAP/AD attributes back to policies that get dynamically assigned." If you would like to save some money, FreeRADIUS combined with an OS such as Linux can perform that task as well for free and you can obtain support from RedHat for a very small fee. What OS does the NAC appliance run out of curiosity? Thanks, Lou Goddard Network Engineer 302-552-8053 [email protected] From: "Nispel, Markus" <[email protected]> Sent: Thu, 12/15/2011 5:18pm To: Enterasys Customer Mailing List <[email protected]> Subject: RE: [enterasys] Setting VLAN egress based on AD group membership Ah – then still most of the ideas apply. If you use policy manager then the roles are automatically distributed to the switches – at the role tab level you can define the VLAN that should be assigned. This overrides the PVID setting on the port. You need to turn on authentication on the port and switch level and also enable RADIUS. All of this can be done via the port config and device config wizards in policy manager. As said – our NAC appliance can act as a RADIUS server and map LDAP/AD attributes back to policies that get dynamically assigned. They (the policy) can included VLAN´s obviously to achieve this. See also https://cp-enterasys.kb.net/al/12/3/article.aspx?aid=14317&tab=browse&bt=4&r=0.04827732 Does this help more? You can also mail me directly Regards Markus From: [email protected] [mailto:[email protected]] On Behalf Of VanArtsdalen, Scott Sent: Donnerstag, 15. Dezember 2011 22:17 To: Enterasys Customer Mailing List Subject: Re: [enterasys] Setting VLAN egress based on AD group membership Thanks Markus. I should have been more clear. We currently use Netsight. I am familiar with Policy Manager. We use policies to set COS up for phones and for blocking certain services on end user ports. I'd like to find a way to do this using Policy Manager. Also, VLANs are currently staticly set on the edge. We'd like them to be completely dynamic based on AD group membership (or the lack thereof.) On Thu, Dec 15, 2011 at 12:24 PM, Nispel, Markus <[email protected]> wrote: Hi Scott You can use Policy and RADIUS attributes to return that – as part of the policy you can modify the PVID incluing the egress as well as the VLAN egress separately for untagged and tagged traffic (like a dynamic 1Q trunk). You can use the decorated filter ID to return the policy or map RFC3580 tunnel attributes back as well. What product do you use? Details can be found in the feature guide for policy: https://extranet.enterasys.com/downloads/Pages/dms.ashx?download=96274944-52fa-4cc1-9bba-0744d5989703 while it is highly recommended to use the policy manager as part of the Netsight Suite. For authentication https://extranet.enterasys.com/downloads/Pages/dms.ashx?download=cf5b6f90-13a1-4253-add1-5d2a7a0cbb23 CLI commands of interest to create the policy phoneFS with pvid 11: Fixed Switch(rw)->set policy profile 3 name phoneFS pvid-status enable pvid 11 cos-status enable cos 10 – here there are also the options for separate egress control Radius & authentication turned on and returning as the filter id “Enterasys:version=1:policy=phoneFS” Does the job. Turn on auth & RADIUS System(rw)->set multiauth mode multi System(rw)->set multiauth port mode force-auth ge.1.5-7 For MAC auth System(rw)->set macauthentication enable System(rw)->set macauthentication password enterasys System(rw)->set macauthentication port enable ge.1.5-7 RADIUS System(rw)->set radius server 1 10.20.10.01 System(rw)->set radius enable If you need AD support and RADIUS services then you could also use our NAC solution for that. Hope this helps Markus From: [email protected] [mailto:[email protected]] On Behalf Of VanArtsdalen, Scott Sent: Donnerstag, 15. Dezember 2011 19:26 To: Enterasys Customer Mailing List Subject: [enterasys] Setting VLAN egress based on AD group membership Can someone point me to a good resource on setting VLAN egress on a port based on membership in a given group in Active Directory? Any whitepapers out there or a place one one of the manuals I should check? Michael, you have anything that would help? :-) --To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] --To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] --To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] --To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] ------------------ CONFIDENTIALITY NOTICE --------------- This message, including any attachments, is for the sole use of the intended recipient(s) and may contain privileged confidential information protected by law. Any unauthorized review, use, disclosure or distribution of this message is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of this message. ------------------ CONFIDENTIALITY NOTICE --------------- --To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] --To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] ------------------ CONFIDENTIALITY NOTICE --------------- This message, including any attachments, is for the sole use of the intended recipient(s) and may contain privileged confidential information protected by law. Any unauthorized review, use, disclosure or distribution of this message is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of this message. ------------------ CONFIDENTIALITY NOTICE --------------- --To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
