OK, I got that, but is it possible to do the authentication and VLAN assignement _based on the client's MAC address_?. From what I red on the links the authentication is based on user/password.

Missed that you can either try the 802.1X VLAN Assignments Using a RADIUS Server Work with the port security. You may want to check the RADIUS if it can use mac-address for authentication. I think it can but I am not sure.

The latest IOS for 2960, 2970, 3550, 3560 & 3750 - 12.2(25)SEE - has a section about 802.1x Authentication with MAC Authentication Bypass. This was mentioned last year and this is first time I have seen it in any release notes.

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/sw8021x.htm#wp1170569

This is ONLY available in the 12.2(25)SEE release (just tried on a 12.2(25)SED1 3750 and the commands aren't there). 12.2(25)SEE introduces a nice 802.1x/Radius bug though (CSCsd38857) where 802.1x authentication requests send Radius Attribute NAS-Port-Type as 'Virtual' instead of 'Ethernet'. Great if you have Radius Policies based on this attribute.........

I assume this only currently works with ACS though?

HTH

Andy

It's too bad we have 2950's :) Altough the 12.2(25)SEE could be uploaded to a 2950 (http://www.cisco.com/en/US/products/ps6406/products_configuration_guide_chapter09186a00805a8418.html).

I guess I shuld be heading to VMPS...

Found today a post in a forum of someone using VMPS clients authenticating against a TACACS server. Is that possible??

Here's the link:

http://seclists.org/lists/security-basics/2004/Oct/0229.html

I think the link is regarding replacing a 2950 with a 2960, not uploading 2960 IOS to a 2950........

VMPS is not really a 'forward' technology and 802.1x is really the way to go. The VMPS server can be a URT Server and you can get it to pull user credentials from various databases (Active Directory, LDAP, Radius, TACACS+ etc). The URT server is EOS/EOL so further development of this product is unlikely.

If you want to secure user ports, you can physically secure them to a degree (lock cabinets, cut the tabs of the RJ45's etc). You can also implement port-security with sticky or fixed MAC addresses so users attempting to connect a PC to a port reserved for a printer won't work.

HTH

Andy

What I'm really trying to do is provide user mobility but not necesarily using LDAP or other 'user/password' method and secure correct VLAN placement. In my vision the best way to provide that would be MAC based VLAN assignement. From what I understood this is only provided in 2960, 2970, 3550 etc...

How would one provide MAC based VLANS on Catalyst 2950?