locked
Network Access - Windows 2008 Technologies RRS feed

  • Question

  • We are looking to see if we can accomplish the following with Windows 2008 NAP or NPS Technologies, I am hoping this is the right forum.

    We are looking for a technology that based on username/password (possibly two-form authentication method) based on this information would put the end user into the VLAN or a particular network.     Is this possible ?   If so what technology do we need to look at to make this happen.
    Thursday, April 9, 2009 2:07 AM

Answers

  • Hi,

    Since you want to control VLANs based on authentication, I think you need to use RADIUS tunnel attributes. This can be accomplished with 802.1X authentication and NPS together with a switch that supports VLAN assignment with RADIUS tunnel attributes. Most mid-level and better switches support this.

    A RADIUS server does two kinds of username/password checking. It will authenticate and authorize. Authentication occurs first and determines *who* is requesting network access. For example, if the user entered the wrong password they would fail authentication. On NPS, authentication rules are called connection request policies.

    Authorization is next and determines the access level of the user or computer. If the computer or user is in an Active Directory group (or perhaps a group created on the switch itself) that is allowed access to VLAN 3, then the port is assigned to VLAN 3. On NPS, authorization rules are called network policies.

    NAP checking occurs at the authorization level and it not concerned with the username/password. It is concerned with the health (configuration or update) status of the client computer. You can use authentication and authorization of the username/password together with NAP to combine identity and health.

    802.1X authentication works with both wired access (switches) and wireless access (wireless access points).

    -Greg
    Thursday, April 16, 2009 7:05 AM