Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
961
Views
0
Helpful
4
Replies

Secure VLAN with an authentication mechanism

dmo84
Level 1
Level 1

‎06-12-2019 08:08 AM

HI there, 

 

Just a quick one,

 

with regards to creating a secure zone/VLAN off of a core network, is it worthy, possilbly to implement something useful in terms of authentication on a VLAN utilising 802.1X that isnt going to be messy?

 

For instance if we want to create a secure zone or VLAN that hangs off the core switching network and possibly segregated by a firewall for a set of say critical applications.

 

Iv been looking at ways we couldnt implement an environment without having the use of a terminal server on the front of the environment.

 

802.1X using NPS / NAP may be messy,

 

If there is a way to utilise this based on domain level authentication and mapping that would be useful.

 

 

Labels:
0 Helpful
4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎06-14-2019 07:15 AM

Hello dmo84,

as far as I know to implement a form of authentication at OSI layer 2 you need to deploy 802.1X.

On 802.1X the only supported authentication methods are radius (and may be local not to be used in production).

 

However, the Radius Server can then point to an Active Directory as a way to authenticate the user.

For example see the following HOWTO guide for freeradius server

 

https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO

 

Hope to help

Giuseppe

 

0 Helpful

dmo84
Level 1
Level 1
In response to Giuseppe Larosa

‎06-17-2019 01:25 AM - edited ‎06-17-2019 03:28 PM

Hi,

 

Yeh thanks this is what I was looking at, but looking at it, reading some tech documents it comes with some caveats and possibly high network admin overhead.

 

As mentioned what is being aimed for, is to have a secure zone within our network which is controlled by some form of authentication (looking at the domain level authentication idea) , this secure zone / VLAN can then be used to control who has access to this VLAN which has these applications/ application servers.

 

These selected users if part of an AD group will get access to this isolated VLAN.

 

 

its never been used by me but have had some people use it a good few years ago *VLAN / 802.1x and said it wasnt really thatmuch use and caused issues so they ended up scrapping it.

 

 

0 Helpful

dmo84
Level 1
Level 1
In response to dmo84

‎06-17-2019 05:11 AM - edited ‎06-17-2019 03:36 PM

Not really the same thing, but another way I have thought about doing this, is by using a firewall which hangs off of our core network, the new firewall will be doing security on a multi-VLAN basis, but also levages the use of firewall > AD "User identification" to pull down the AD or LDAP groups from domain controllers, and on a per VLAN basis we can create the relevant security rules/ policies which permit a spefiic AD group or group of users to the applications/servers or services within the vlans

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to dmo84

‎06-17-2019 09:58 AM

Hello dmo84,

the use of a firewall with active directory integration for user authentication can be seen as an alternative implementation but security will be at inter Vlan level.

 

Hope to help

Giuseppe

 

0 Helpful
Customers Also Viewed These Support Documents