Manualshelf

Developers guide

ManualsBrandsRed Hat ManualsComputer equipmentNETWORK 4.1.0 -
81828384858687888990
Chapter 11
Copyright © 2008-2013 Inverse inc.
Technical introduction
to VLAN enforcement 78
Technical introduction to VLAN
enforcement
Introduction
VLAN assignment is currently performed using several different techniques. These techniques are
compatible one to another but not on the same switch port. This means that you can use the more secure
and modern techniques for your latest switches and another technique on the old switches that doesn’t
support latest techniques. As it’s name implies, VLAN assignment means that PacketFence is the server
that assigns the VLAN to a device. This VLAN can be one of your VLANs or it can be a special VLAN where
PacketFence presents the captive portal for authentication or remediation.
VLAN assignment effectively isolate your hosts at the OSI Layer2 meaning that it is the trickiest method
to bypass and is the one which adapts best to your environment since it glues into your current VLAN
assignment methodology.
VLAN assignment techniques
Port-security and SNMP
Relies on the port-security SNMP Traps. A fake static MAC address is assigned to all the ports this way
any MAC address will generate a security violation and a trap will be sent to PacketFence. The system will
authorize the MAC and set the port in the right VLAN. VoIP support is possible but tricky. It varies a lot
depending on the switch vendor. Cisco is well supported but isolation of a PC behind an IP Phone leads
to an interesting dilemma: either you shut the port (and the phone at the same time) or you change the
data VLAN but the PC doesn’t do DHCP (didn’t detect link was down) so it cannot reach the captive portal.
Aside from the VoIP isolation dilemma, it is the technique that has proven to be reliable and that has
the most switch vendor support.
Wired: 802.1X + MAC Authentication
802.1X provides port-based authentication, which involves communications between a supplicant,
authenticator (known as NAS), and authentication server (known as AAA). The supplicant is often software
on a client device, such as a laptop, the authenticator is a wired Ethernet switch or wireless access point,
and the authentication server is generally a RADIUS server.