netreg-devel: Hello...

[Gabriel L. Somlo]

On Tue, Jan 17, 2012 at 02:08:33PM -0500, Frank Sweetser wrote:
> 
> The github wiki is the one I was referring to.  You can add the features to
> the main page, and if you'd like to expand on them, also add in separate
> feature-specific pages, like I did with IPv6.

Speaking of that, I added a couple of bullets under DNSSec -- feel
free to delete or modify if you disagree :)

Also, there's a QuickReg related section under the IPv6 Support page,
and what follows is me thinking out loud (well, in writing) rather
than something I'd write down in a wiki, at least for now...

At some point in the past I was wondering whether QuickReg is just a
very early and roundabout way to implement what 802.1X does (well, the
MAC address bypass version of 802.1X, at least).

One could configure switches to query a Radius server with the
username and password set to the MAC address of the connecting device.
Radius could then respond with a set of attributes, which include the
VLAN on which the device should be placed if the MAC address is found
in some database, or a default if that fails.

This could replace DHCP shared subnet trickery with hardware-enforced
VLAN separation, with the potential for better auth methods to be
bolted on later (i.e., real .1X). You'd acquire a Radius server in
exchange for a simplified dhcp configuration.

The nice thing about Radius (at least FreeRadius) is that you can
use PERL as an auth plugin to query a database (like, say, NetReg) in
real time.

I've actually tested this successfully in the lab, and could share the
(short) perl script and radius config snippets, in case there's any
interest.


Regards,
--Gabriel
------------------------------------
Gabriel L. Somlo, Ph.D.
Director of Computing Services
Information Networking Institute
Carnegie Mellon University
4616 Henry St., Pittsburgh, PA 15213
+1.412.268.9310      www.ini.cmu.edu