02-22-2018 02:32 PM - edited 02-21-2020 10:46 AM
Hello,
I'm a beginner, I'm working on Cisco switch 2960s, and I need some advice about authentication methods to access the LAN (and not the switch).
I have a set of vlans that can be divided into two subset according to the authentication methods.
In the First vlan subset, I want to authorize only the AD domain members to access the LAN. My objective isn't to get the user-name and the password from the user, but to be sure that the machines belong to the domain.
I want to prevent users from connecting their own machines to the LAN, or to fool the switch using cloned MAC addresses of existing machines. We are against BYOD here X)
In the second vlan subset, I want to authenticate machines that are not members of AD domain, and to be sure that the users won't able to connect new machines.
I thought about combining the following elements:
1-Username
2-Password
3-MAC address
4-Ip address ( If possible)
With this combination, I can be sure that the user will have only one machines connected, but the user will be able to replace the machine without my authorization.
Is that realizable with 2960s switches ? If not what can I do to get closer to those objectives ?
I have seen some articles about TACACS+ and RADIUS but I'm not very sure that if I can express this constraint using those protocols.
Regards.
Solved! Go to Solution.
02-22-2018 02:51 PM
You'll be wanting to use wired 802.1x. This authenticates using RADIUS. You can use a basic RADIUS server like NPS (Network Policy Server) on your AD controller or Cisco ISE.
There is quite a bit of work involved to get all of this going. I wouldn't take this on if you are a beginner at Cisco networking. I would get someone in to help you.
Otherwise, start reading this guide:
02-22-2018 02:51 PM
You'll be wanting to use wired 802.1x. This authenticates using RADIUS. You can use a basic RADIUS server like NPS (Network Policy Server) on your AD controller or Cisco ISE.
There is quite a bit of work involved to get all of this going. I wouldn't take this on if you are a beginner at Cisco networking. I would get someone in to help you.
Otherwise, start reading this guide:
02-23-2018 01:15 AM
Thank you for confirming this it is possible to do it using radius.
Now, I can go ahead with worrying if it is realizable.
I'm so exited to test this solution.
Kind regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide