cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

564
Views
0
Helpful
2
Replies
Highlighted
Beginner
Beginner

Authenticating machines using {USER PASS MAC [IP]} or Active Directory

Hello,

I'm a beginner, I'm working on Cisco switch 2960s, and I need some advice about authentication methods to access the LAN (and not the switch).

I have a set of vlans that can be divided into two subset according to the authentication methods.

In the First vlan subset, I want to authorize only the AD domain members to access the LAN. My objective isn't to get the user-name and the password from the user, but to be sure that the machines belong to the domain.
I want to prevent users from connecting their own machines to the LAN, or to fool the switch using cloned MAC addresses of existing machines. We are against BYOD here X)


In the second vlan subset, I want to authenticate machines that are not members of AD domain, and to be sure that the users won't able to connect new machines.
I thought about combining  the following elements:
1-Username
2-Password
3-MAC address
4-Ip address ( If possible)

With this combination, I can be sure that the user will have only one machines connected, but the user will be able to replace the machine without my authorization.

Is that realizable with 2960s switches ? If not what can I do to get closer to those objectives ?

I have seen some articles about TACACS+ and RADIUS but I'm not very sure that if I can express this constraint using those protocols.

Regards.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advisor

You'll be wanting to use wired 802.1x.  This authenticates using RADIUS.  You can use a basic RADIUS server like NPS (Network Policy Server) on your AD controller or Cisco ISE.

 

There is quite a bit of work involved to get all of this going.  I wouldn't take this on if you are a beginner at Cisco networking.  I would get someone in to help you.

 

Otherwise, start reading this guide:

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html

View solution in original post

2 REPLIES 2
Highlighted
Advisor

You'll be wanting to use wired 802.1x.  This authenticates using RADIUS.  You can use a basic RADIUS server like NPS (Network Policy Server) on your AD controller or Cisco ISE.

 

There is quite a bit of work involved to get all of this going.  I wouldn't take this on if you are a beginner at Cisco networking.  I would get someone in to help you.

 

Otherwise, start reading this guide:

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html

View solution in original post

Highlighted

Thank you for confirming this it is possible to do it using radius.

Now, I can go ahead with worrying if it is realizable.

I'm so exited to test this solution.

Kind regards.