I would like to have the same client control of BLUE devices for the GREEN network.
Usually anybody can plug in a network device at GREEN and has access to the network. I want to stop that.
Any suggestions how to do that? Atm my DHCP assigns unknown devices to a subnet that is actually blocked, but nothing keeps you from manually change your clients IP to a subnet that is allowed to communicate to the network so that restriction is just a joke. I need to change that but I think there is no way to do that because every network switch will cross the plan? At least I would like to get controll over the GREEN network communication to the firewall and other networks.
Thanks in advance.
Dynamic vLan assignment based on 802.1x.
Hm ok my larger switches can do that, but I have some smaller desktop unmanaged switches that don’t support 802.1x so this will not work, I think. Also it looks like our new 10G desktop switches Netgear GS800 Nighthawk SX10 don’t support it, but I can’t believe that.
Also I don’t have a radius server and never worked with freeradius before. Is there a howto in combination with ipfire? Also I will need a CA I don’t have neither.
So switch to vLAN totally and manage it.
If it’s not declared as Green vLAN, the port is to be considered linked to Blue network
This will require a full clients configuration on the switch, right? Isn’t that just MAC address related? And will it be enough to do that at the switch that is directly connected to the firewall?
Basic requirement: all switches should be vLAN capable (if presents also AP could be a nice plus if they are vLAN compliant) and before do any major changes into the infrastructure, i suggest to take some time to test it into a small environment to avoid major issue.
Once mastered the organization, i strongly suggest to have the fully knowledge about “what’s connected on that port” for every device of your network.
If you doubt about a device is vlan capable, the best answer is into tech specs and user manual.
I’ll have a look on the switch configuration later. At least it should be dynamic vLAN and not static vLAN which is just port based and not client/device based.
But am I right: the client/device database has to be created on every switch with it’s allowed, connected devices?
in my opinion yes - i only know that if all your switches are the same model/manufacturer you can create a group/manage them from a webcenter (but thats not supported by every manufacturer)
This will be fine. May be some more workload, but at least I can controll the access to the switches and send unauthorized devices in nirvana.
Most of all depends of capabilities and features of your network equipment. Dynamic or static that is.
IMVHO even into static management (and locked racks) adding port to “green” is done only for new devices or moving people throught office.