hey,

in my work network we use mac address port security on our end switches (workstations connecting to end switches) to prevent the connection of unauthorized machines connecting to the network. We have a team that handles moves, adds, changes of workstations throughout the building. The problem is they have no knowledge of the switches (how to configure them, etc). So we created a script that uses SNMP technology (I don't have a complete understanding but its using traps and mibs) to change/update port security on any switch on the network in a very dummy-proof gui. its works great but, two things...mac address port security is "old school" and the time it takes to manually update each port with a new mac ID takes forever (we've had work orders that involved up to 200 workstations) so we're spending 2-3 days making these changes...that excludes any inaccurate patch runs back to the switches (workstation is not connected to a port that our database says its on, etc). All this = inefficient.

So, I'm thinking of introducing a Radius server to help with this issue. Keep in mind I have limited knowledge of radius technology (which is why i'm here asking questions)

This is my objective(s)/questions:

1. Have a physical device (mostly workstations, laptops, thin clients) to be authenticated to the network as soon as they are turned on (I'm thinking a certificate installed onto the machine when the machine is built) The machine would authenticate to the network on boot up. Once authentication is granted it connects to the network and the user login screen appears. If authentication is not granted, then the switch prevents the connection (either by disabling the port or simply not send data through that port, and sends an alert to our monitoring stations)

2. Another issue is custom built workstations. We normally have an image setup to a specific network and load workstations with that. Some of the techs want to use their own custom images (this goes against company policy)...is it safe to say if they don't have a way to authenticate into the network itself, they won't be on the wire?

3. VMware Workstation....these same techs like to use vmware workstation to install servers and test apps (again, against policy) so how can I ensure that a guest OS installed on vmware workstation will require radius authentication as well? (vmware has the ability to allow a guest to use the same connection as the host, which leads me to believe that this wouldn't be possible to force authentication)

4. can anyone provide some good websites/books that I can use to continue learning about Radius and authentication.

A potential solution I have started working on:

We have a mixed environment of Active Directory and Novell eDir (we will be moving to MS completely within the next 2 years). Accounts are sync'd between each other so the user still has one account. I thought to use Microsoft Network Policy Server for the Radius server and a certificate server as well. The radius and cert servers will work together to produce certs for each workstation. Ideally we would want this as automated as possible...

This is a handfull, and I'm not expecting an end solution (all the work done for me) I just need to be pointed in the right direction (If i'm not already in the right direction) So any/all help will be greatly appreciated!! and thanks in advance!!

So any thoughts??

Implement sticky mac port security on each of the access switchports. It involves very little configuration.

Grab a range (all 200) of access switchports you want to modify and implement sticky MAC. Sticky MAC will set and lock the first MAC that plugs into the switchport. Its not the safest way, but if you set the sticky MAC limit to 1, you will be ok.

I fail to see how the methods you explained will work and, furthermore, require less administrative effort.

The functionality you're looking for is 802.1X port-based authentication. Have a look here for more info: http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html

Essentially, your switch will block all traffic (except the traffic needed for authentication) until the user has successfully authenticated with a RADIUS server. Once the user is authenticated the port will allow traffic to flow normally. The authentication can be done by certificate or username and password, including passing the domain credentials (for Active Directory domain-joined computers) through to the RADIUS server automatically. It's the same protocol often used for wireless authentication in enterprise wireless networks.

802.1X is supported natively by almost all major operating systems, including Windows (since 2000 SP3), Mac, and most flavours of *nix.

I'm not sure howw it works with VMs though, since technically as soon as someone has been authenticated on the physical port, all traffic is allowed through. It has no way to know what VM the traffic came from. There's probably a work-around for that though