https://community.cisco.com/t5/network-access-control/authenticating-machines-using-user-pass-mac-ip-or-active/m-p/3336484#M546100 <P>Thank you for confirming this it is possible to do it using radius.</P> <P>Now, I can go ahead with worrying if it is realizable.</P> <P>I'm so exited to test this solution.</P> <P>Kind regards.</P> Fri, 23 Feb 2018 09:15:33 GMT a.m 2018-02-23T09:15:33Z https://community.cisco.com/t5/network-access-control/authenticating-machines-using-user-pass-mac-ip-or-active/m-p/3336280#M546098 <P>Hello,<BR /><BR />I'm a beginner, I'm working on Cisco switch 2960s, and I need some advice about authentication methods to access the LAN (and not the switch).<BR /><BR />I have a set of vlans that can be divided into two subset according to the authentication methods.<BR /><BR />In the First vlan subset, I want to authorize only the AD domain members to access the LAN. My objective isn't to get the user-name and the password from the user, but to be sure that the machines belong to the domain. <BR />I want to prevent users from connecting their own machines to the LAN, or to fool the switch using cloned MAC addresses of existing machines. We are against BYOD here X) <BR /><BR /><BR />In the second vlan subset, I want to authenticate machines that are not members of AD domain, and to be sure that the users won't able to connect new machines.<BR />I thought about combining&nbsp; the following elements:<BR />1-Username<BR />2-Password<BR />3-MAC address<BR />4-Ip address ( If possible)<BR /><BR />With this combination, I can be sure that the user will have only one machines connected, but the user will be able to replace the machine without my authorization.<BR /><BR />Is that realizable with 2960s switches ? If not what can I do to get closer to those objectives ?<BR /><BR />I have seen some articles about TACACS+ and RADIUS but I'm not very sure that if I can express this constraint using those protocols.<BR /><BR />Regards.</P> Fri, 21 Feb 2020 18:46:29 GMT https://community.cisco.com/t5/network-access-control/authenticating-machines-using-user-pass-mac-ip-or-active/m-p/3336280#M546098 a.m 2020-02-21T18:46:29Z https://community.cisco.com/t5/network-access-control/authenticating-machines-using-user-pass-mac-ip-or-active/m-p/3336289#M546099 <P>You'll be wanting to use wired 802.1x.&nbsp; This authenticates using RADIUS.&nbsp; You can use a basic RADIUS server like NPS (Network Policy Server) on your AD controller or Cisco ISE.</P> <P>&nbsp;</P> <P>There is quite a bit of work involved to get all of this going.&nbsp; I wouldn't take this on if you are a beginner at Cisco networking.&nbsp; I would get someone in to help you.</P> <P>&nbsp;</P> <P>Otherwise, start reading this guide:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html" target="_self">https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html</A></P> Thu, 22 Feb 2018 22:51:56 GMT https://community.cisco.com/t5/network-access-control/authenticating-machines-using-user-pass-mac-ip-or-active/m-p/3336289#M546099 Philip D'Ath 2018-02-22T22:51:56Z https://community.cisco.com/t5/network-access-control/authenticating-machines-using-user-pass-mac-ip-or-active/m-p/3336484#M546100 <P>Thank you for confirming this it is possible to do it using radius.</P> <P>Now, I can go ahead with worrying if it is realizable.</P> <P>I'm so exited to test this solution.</P> <P>Kind regards.</P> Fri, 23 Feb 2018 09:15:33 GMT https://community.cisco.com/t5/network-access-control/authenticating-machines-using-user-pass-mac-ip-or-active/m-p/3336484#M546100 a.m 2018-02-23T09:15:33Z