On 05/01/2014 02:34 PM, m.roth at 5-cent.us wrote: > <snip> Just looked up 802.1x. Having not read the entire wikipedia > article, is this an alternative to kerberizing it all? Well, it's at a different layer. 802.1x requires the client to authenticate to the network, and the backend can then make decisions like which layer 2 VLAN and which layer 3 subnet to put you in, based on your authentication. Kerberos and ilk can be integrated. Look at packetfence.org to see one use of 802.1x (and other means of using VLANs to isolate, especially when things go south on the workstation security side). So, if I have a public workstation, say, set up in a lobby, and I need to quickly do some admin tasks, I can log in to the public machine as myself, authenticate properly, and get put (by the switch) on the admin VLAN and do admin things with that access. I then log off, and the network connection I had goes away (the machine gets 'parked' onto a isolated VLAN). Now, J. Random User comes by and logs in as guest. JRU will get put (again, by the switch) on an isolated VLAN that is firewalled from the rest of the network, and will only have layer 2 and 3 access to what JRU needs. Guest would have a 'timed inactivity automatic logoff' of course. Now, an intern comes by, and needs to get the todo list I've prepared for tomorrow's work. Intern doesn't need to even see the admin VLAN or any machines there, but if I have an intern VLAN, then authentication with the intern credentials can pop the machine on the intern VLAN. One machine, three different users needing three different and mutually exclusive network connections. The mechanics aren't too different from using Wi Fi connections, really, just on a wired interface. In this case, NetworkManager makes the implementation very easy; you add a connection for each user, and set up the 802.1x stuff in the NM interface (and it can be cryptographically strong authentication; look in the NM dialogs) for each user in that user's account. When that user logs in, that connection for that user comes up.