802.1x change your passwords based on AD credintals

[dlots]

I am not sure if I ever put this up over on networking-forum or not so I figured I would put it up here.  I put this together a few years ago.
802.1x, one of the most evil protocols by default ever for anyone dealing with the PC.  With no one authenticating on it the port is shut down, so no windows updates over night, no PXE boot, and no one can RDP in to help, this horror is what my ex-boss wanted me to implement.

What I gave him was a setup that would change the vlan based on the user's AD credentials, and if no one was logged in it would dump the PC into a "guest vlan" where you could still have access to all that "get the computer up and running" stuff, and also have radius able to recognize devices by their mac address and move them to the proper vlan (so you make a user of a printer's MAC address and assign that user to the PRINTERS group and you can move that printer anywhere you want and it ends up on the same vlan).  It was a really really cool setup.

Anyway I thought I would post the documentation here in-case someone wanted it.
http://dhimes.com/Files/802.1x%20demo%20clean.zip

[wintermute000]

out of curiosity, why the bit about not putting it up in ye olde place'?


But yeah PITA, when it works its pretty impressive though. I've only seen it live and 4 real in one joint which was associated with voting, so they had compliance mandates up the wazoo. (we're not the US, so we take voting security fairly seriously .... ZING)

[deanwebb]

Zing accepted. 

But, yes, you gotta have a remediation/critical VLAN when you have any full-enforcement NAC solution in place.

[dlots]

That was to say that I didn't know if I had never posted it anywhere where people could find it.  When I was doing this originally I couldn't find any documentation on it, so I think putting it out where people can find it would be great, but if I had put it up I didn't want to be seen as a spammer... SPAMMMM!!!!