Remix.run Logo
onraglanroad 2 hours ago

Probably a RADIUS server setup.

Basically staff machines get a certificate to present to the server and the server controls the network.

So, if your machine does nothing, it's on the guest vlan and has limited access. If it presents a valid certificate that network port is reassigned to the staff vlan and you get full access.

If someone leaves, you just revoke the certificate and they have guest access again.

Not rocket science once you know it :)

lokar an hour ago | parent [-]

Still better to do that same thing (cert based auth) at the application layer instead of the network layer.

EvanAnderson an hour ago | parent | next [-]

That's great when you have control of your applications. For most corporate IT you're stuck with COTS applications and whatever their built-in auth functionality is. Sure, you can probably bolt a reverse proxy in front (if you're lucky enough for it to be a web app and not a thick native code client) but you get to argue with the vendor when they refuse support because you're not using their recommended configuration.

802.1x certificate-based authentication at layer 2 is a good defense in depth strategy.

lokar 28 minutes ago | parent [-]

Use envoy or some other reverse proxy and do per-app auth there

onraglanroad an hour ago | parent | prev [-]

Yes, you can do it by MAC address instead but that can be changed so you can spoof a legitimate device.

Edit: oh wait, you mean have the applications check the certificate? Yes, but then you need support from the application. Does your printer do that, for example? You need to make sure everything does. You can of course do both.

lokar 27 minutes ago | parent [-]

Reverse proxy