[ previous ] [ next ] [ threads ]
 
 From:  person <blankinvites+m0n0 at gmail dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] CAP Portal / VLAN's how to - InterVLAN routing?
 Date:  Tue, 31 Jan 2006 05:22:04 -0500
Ironically here, out to the internet isn't the segment we are trying to
protect.

Locally there are many internal webservers (not patched, containing info you
wouldn't want any outsider to access, etc.), video/media servers, wiki's,
shared drives, etc. etc. Given the nature of the offices, there are many
places someone can, and even places people are allowed to, simply plug into
a jack and get internet access (confrence rooms/guests, etc.). Not uncommon
for someone using someones office to unplug the ehternet cable and plug it
in to their laptop. Aside from better policies to prevent that, I am looking
for a way to allow guests and unrecognized systems access to the internet
but not to internal services. But, at the same time, on this same segment,
there are authorized workstations that need internal access. They have a
certificate server, all machines are Win2000/XP or higher (desktop machines)
and have system certificates installed.

They have 4mb Cisco 2900's, which means IOS 11.x is highest, but I am pretty
sure that switch DOES do VLAN Trunking. It does have AAA functions and
supports dot1q. Is it possible to have the swicth authenticate machine
certificates to a radius server?? I thought this was out of the realm of a
switch.

Either way, we need to get rid of the linksys boxes.

I will be very happy to fully document the final solution to add to the
docs.

thanks


On 1/30/06, Chris Buechler <cbuechler at gmail dot com> wrote:
>
>
>
> What you're talking about there is actually switching the VLAN the
> user is on.  m0n0wall can't do that, that's a function of the switch.
> What you can do is leave all the "external port" users on that outside
> VLAN, and let users who authenticate successfully out to the Internet.
> Unauthenticated users would be on the same network, but not able to
> go outside of that network.
>
> -Chris
>