Welcome, Guest. Please login or register.

Author Topic: easy interface Nac / UnNac  (Read 2748 times)

nide

  • Newbie
  • *
  • Posts: 2
    • View Profile
easy interface Nac / UnNac
« on: February 11, 2013, 10:36:40 AM »
Hello Everybody,

I am relatively new to Nedi but like it. Thanks for that great job.

I have already searched the forums about my question but it seems like there is no answer to my question.

A company I work for, must often disable/re-enable dot1x configs on interfaces.

It would be very nice to have that feature in nedi directly (in the interface list it would be the best).

I'am not bad at perl programming, but before beggining something, I would like to have some feedbacks:
- is it usefull for others?
- where and how this could be implemented?
- other?


Thanks

Nicolas

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2520
    • View Profile
    • NeDi
Re: easy interface Nac / UnNac
« Reply #1 on: February 11, 2013, 10:43:20 PM »
You're welcome :) What do you mean by configs? Re-authenticate clients or actually change the port configuration? Most of the dot1x stuff like assigning vlans or ACLs can be done dynamically via Radius...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

sjobergh

  • Newbie
  • *
  • Posts: 24
    • View Profile
Re: easy interface Nac / UnNac
« Reply #2 on: February 17, 2013, 02:31:23 AM »
I agree on this suggestion,  a simple way to "lift" .1x config from an interface and then "reapply" it after some time would be great.
Even greater would be if we could "lift" .1x for a given amount of time,  like 3 hrs,  then it automatically would be reinstated again.

Why is this interesting, 

example:  today many companies implement .1x and with .1x they get problems with centralized desktop management tools. Before .1x the user could press a function key in/before boot sequence and ask for a new image to be installed at the pc,  that doesnt work if your pc is connected to a .1x enabled port.  The user have to call helpdesk and ask them for reconfiguration,   helpdesk isnt allowed/dont have the skills to do that so they have to send the request to level 2 or sometimes even level 3 support.  this takes time and the user get frustrated.

If there was a simple way to "lift" .1x from interface,  so easy that first line/helpdesk could do it it would be fantastic.

I have come across several big companies that struggles with this problem

/swepart   

nide

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: easy interface Nac / UnNac
« Reply #3 on: February 18, 2013, 03:21:25 PM »
Hello,

Remo, thx for the idea of doing the change directly in the radius.

But here the product choosen as the radius server is Cisco ACS and afaik, it's not trivial, even not possible to have a quick and easy way to modify a port configuration. And clearly not for level [12] support.

Sjobergh, yeah, I'm not alone ;)

Nicolas

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2520
    • View Profile
    • NeDi
Re: easy interface Nac / UnNac
« Reply #4 on: February 18, 2013, 05:47:56 PM »
Ok, I see (I'm not in operations anymore, thus rely heavily on such feedback ;)

As mentioned earlier, I want to focus on Devices-Write and the whole interaction for the 1.0.9 cycle. This would fit well and could be covered with a general "framework" to send CLI commands to devices...

So, let me got oh8 out of the way first...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo