Mac address port security with Radius server

sercotomm · ‎10-28-2004

I'm just looking for some clarification here - as far as I know Cisco doesn't support what I want to do (although you can do it on other switches like Foundrys) but I'm still unsure and hopefully somebody here can give me a definite answer.

What I'd like to do is Mac address based port security, where only known Mac addresses are allowed access to the network, but using a central Radius server to store the list of Mac addresses, not the local switch.

As far as I know, Cisco supports three types of port security:

1) Local MAC address lists

2) 802.1x port security, which uses a username and password rather than MAC address

3) Dynamic VLAN assignment using VMPS, which assigns devices to specific VLANs based on MAC address.

Is there though, any way to have switches authenticate the devices MAC address against a RADIUS server rather than a VMPS, and either permit / deny access or even assign VLANs based on the Radius servers response?

Many thanks

Tom

jafrazie · ‎10-28-2004

You can currently utilize 802.1x (which does not exactly call for a username/password .. your EAP type that runs over 802.1x would do that).

By utilizing 802.1x, you could also perform checking against any specific MAC Address that is requesting access. Similar to authenticated dial-in access, but only allowing dial-in for matching phone numbers.

As for the ability to do this centrally without 802.1x, it is under consideration.

Hope this helps.