[CentOS] Network Access Control (was:Re: Disappearing Network Manager config scripts)

Thu May 1 22:06:34 UTC 2014

On 05/01/2014 02:34 PM, m.roth at 5-cent.us wrote:
> <snip> Just looked up 802.1x. Having not read the entire wikipedia 
> article, is this an alternative to kerberizing it all? 

Well, it's at a different layer.  802.1x requires the client to 
authenticate to the network, and the backend can then make decisions 
like which layer 2 VLAN and which layer 3 subnet to put you in, based on 
your authentication.  Kerberos and ilk can be integrated.

Look at packetfence.org to see one use of 802.1x (and other means of 
using VLANs to isolate, especially when things go south on the 
workstation security side).

So, if I have a public workstation, say, set up in a lobby, and I need 
to quickly do some admin tasks, I can log in to the public machine as 
myself, authenticate properly, and get put (by the switch) on the admin 
VLAN and do admin things with that access.  I then log off, and the 
network connection I had goes away (the machine gets 'parked' onto a 
isolated VLAN).  Now, J. Random User comes by and logs in as guest.  JRU 
will get put (again, by the switch) on an isolated VLAN that is 
firewalled from the rest of the network, and will only have layer 2 and 
3 access to what JRU needs. Guest would have a 'timed inactivity 
automatic logoff' of course. Now, an intern comes by, and needs to get 
the todo list I've prepared for tomorrow's work.  Intern doesn't need to 
even see the admin VLAN or any machines there, but if I have an intern 
VLAN, then authentication with the intern credentials can pop the 
machine on the intern VLAN.

One machine, three different users needing three different and mutually 
exclusive network connections.  The mechanics aren't too different from 
using Wi Fi connections, really, just on a wired interface.  In this 
case, NetworkManager makes the implementation very easy; you add a 
connection for each user, and set up the 802.1x stuff in the NM 
interface (and it can be cryptographically strong authentication; look 
in the NM dialogs) for each user in that user's account.  When that user 
logs in, that connection for that user comes up.