1

I'm using NIS to manage users on a Redhat 6.6 closed network. We use multiple VLANs in the closed network. Is it possible to assign privileges or somehow permit specific users to utilize a VLAN while keeping other users off that specific VLAN? Does anyone know if that's possible in normal Redhat user administration? Or does that type of restriction take place only within the network switches?

We are using VLANs to isolate networks successfully. I'm asking the question above specifically to see if it's beneficial to add a specific VLAN to local workstations, which already use the general VLAN for user access to the network. Otherwise, I allow users access to a specific machine which has access to the general VLAN and a specific VLAN.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
Gene Brotherton
  • 23
  • 1
  • 1
  • 6
  • Instead of donig it by vlan you could try to use firewall rules to filter network access by a process's UID. Both approaches are vulnerable to people who have root on their own machines. – Bratchley Jan 05 '17 at 14:48
  • You can use network switches to filter user's network card MAC address based on VLAN.Your network switches can support radius Authentication? Each user should have own machine to login not sharing machine. – supriady Jan 05 '17 at 15:22
  • @supriady thanks for the comment. We have 3 times as many people as we do workstations, so one machine per person doesn't work for our business model. – Gene Brotherton Jan 05 '17 at 16:03

1 Answers1

0

It is indeed possible to associate particular users with a specific VLAN as you ask.

It can be done however, via RADIUS and not NIS. The technology can be applied to cabled or wireless networks where the equipment supports VLANs and 802.1X.

We are here using FreeRadius 3.0.12 in Debian Jessie and 3.1.x in Stretch, with a Cisco cable infra-structure and Meru wifi and it works pretty well authenticating well above 2k users per day.

We connect our FreeRadius servers to our AD to authenticate our users. It can also talk with an LDAP server, or have static users defined. If you are using LDAP to authenticate your users, you can pretty much use/extend the LDAP schema to accommodate for your RADIUS needs.

FreeRadius assigns at least 3 different VLANs in our eduroam SSID, depending on different user profiles/AD groups.

At home, my TP-LINK AP with OpenWrt also supposedly supports 802.1X, I have in my todo list to do it.

As for the client side, 802.1X supplicants are pretty much well supported by any modern operating system.

However, the learning curve for implementing such an infra-strucure is a bit steep, but with time all makes sense.

I would also point out that the VLAN assignment restriction is done at port/virtual port level, and it affects the devices the users are using.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227