10-16-2001 09:40 AM - edited 03-08-2019 08:53 PM
Hi all,
I have a client who has a request for me to provide security using Tacacs+ or Radius with RSA ACE/Server. Here is a detailed description of what the client wants, any ideas on how to accomplish this.
Here it is:
The requirement is that prior to accessing he network the user must log in to the Switch, the switch will validate the users via Radius or
Tacas+ and establish a VLAN for the user. The VLAN must be locked to the physical switch port, ip address, protocol and virtual port. (Port 12 Slot
3, 10.xxx.xxx.4, TCP/IP, 80) would be an entry for a WWW server on our internal LAN. The same conditions apply regardless of if you are internal
or external as once you have access to the network the first thing you see is the switch authentication (SW may be needed on the clients to do this)
The VLAN's will be user based and no traffic will be allowed for unprotected sessions, the exception needs to be on the server side where
VLANs will be established for all traffic thereby allowing things like NTP or DNS resolutions.
A user may be allowed to access only one port and if the system or machine does not have a VLAN allowing access, then even with root access, they can
not jump/hop from there. Note this means an explicit VLAN for any user connection is needed, so that if I am allowed to access a physical switch
port, ip address, protocol and virtual port and it in turn is allowed to get to another physical switch port, ip address, protocol and virtual port.
it must be listed in my VLAN
Thanks
10-20-2001 04:03 PM
Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you, or there is no public information available at this time. If you don't get a suitable response to your post, you may wish to review our resources at the online http://www.cisco.com/go/solutions. You may also contact our product information line at 1-800-553-NETS or a Cisco Systems Engineer at your local Cisco office or reseller. To locate your local Cisco representative, visit http://www.cisco.com/warp/public/687/Directory.shtml
If anyone else in the forum has some advice, please reply to this thread.
Thank you for posting.
10-27-2001 06:27 AM
Hi!
Cisco IOS Firewall Authentication Proxy provides dynamic, per-user authentication and authorization, authenticating users against TACACS+ and RADIUS authentication protocols.
You need only RSM with IOS Firewall feature set and CiscoSecure ACS.
More details:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdauthp.htm
BR Juha
12-03-2001 10:38 AM
Hello,
This response might be rather too late to your problem. The reason being, I am new to the forum, was going thru the threads and noticed that your question was not addressed.
I believe you can utilize VMPS to achieve the solution.
With VMPS, you can assign switch ports to VLANs dynamically, based on the source Media Access Control (MAC) address of the device connected to the port. When you move a host from a port on one switch in the network to a port on another switch in the network, the switch assigns the new port to the proper VLAN for that host dynamically.
I have implemented on the Bank security configuration.
Sorry if this came late. Hopefully, if not that this will help.
Elias
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide