Just a quick one,
with regards to creating a secure zone/VLAN off of a core network, is it worthy, possilbly to implement something useful in terms of authentication on a VLAN utilising 802.1X that isnt going to be messy?
For instance if we want to create a secure zone or VLAN that hangs off the core switching network and possibly segregated by a firewall for a set of say critical applications.
Iv been looking at ways we couldnt implement an environment without having the use of a terminal server on the front of the environment.
802.1X using NPS / NAP may be messy,
If there is a way to utilise this based on domain level authentication and mapping that would be useful.
as far as I know to implement a form of authentication at OSI layer 2 you need to deploy 802.1X.
On 802.1X the only supported authentication methods are radius (and may be local not to be used in production).
However, the Radius Server can then point to an Active Directory as a way to authenticate the user.
For example see the following HOWTO guide for freeradius server
Hope to help
Yeh thanks this is what I was looking at, but looking at it, reading some tech documents it comes with some caveats and possibly high network admin overhead.
As mentioned what is being aimed for, is to have a secure zone within our network which is controlled by some form of authentication (looking at the domain level authentication idea) , this secure zone / VLAN can then be used to control who has access to this VLAN which has these applications/ application servers.
These selected users if part of an AD group will get access to this isolated VLAN.
its never been used by me but have had some people use it a good few years ago *VLAN / 802.1x and said it wasnt really thatmuch use and caused issues so they ended up scrapping it.
Not really the same thing, but another way I have thought about doing this, is by using a firewall which hangs off of our core network, the new firewall will be doing security on a multi-VLAN basis, but also levages the use of firewall > AD "User identification" to pull down the AD or LDAP groups from domain controllers, and on a per VLAN basis we can create the relevant security rules/ policies which permit a spefiic AD group or group of users to the applications/servers or services within the vlans
the use of a firewall with active directory integration for user authentication can be seen as an alternative implementation but security will be at inter Vlan level.
Hope to help