01-07-2019 01:42 PM
Hey everyone,
I have been researching and testing port-security to be implemented in our network switches. I am quite confused on how can we properly manage port-security for Laptops as they keep on moving throughout the network. I can't just configure sticky or static mac addresses for those laptops throughout my network and there are about a dozen of laptops.
Thank You in advance.
01-07-2019 04:55 PM - edited 01-07-2019 04:57 PM
Cisco VMPS would be the perfect solution to allow you to roam based on your mac address however this feature was discontinued way back in IOS release 12.2, the alternative would be to implement 802.1x authentication on the switch and authenticate via a radius server. keep in mind that these devices will be connected to designated ports as your other devices such as IP pones would have to support this feature in order to operate.
Info on 802.1x Authentication
01-08-2019 10:09 AM
Thank you for the information Patrick. I do have one NPS server for authenticating users to log in to network switches through radius authentication querying my AD.
I tried to follow the instructions from your weblink but could not succeed.
However, I will be researching on it and testing the port-control.
Thank You once again.
01-08-2019 10:55 AM
Please see the sample config for a switch if you require a sample of a windows client i can provide that as well,
***Remember to rate the post as well****
Switch(config)# ip routing
Switch(config)# aaa new-model Switch(config)# username admin secret MyPassword
Switch(config)# radius-server host 10.0.0.100 auth-port 1812 acct-port 1813 key MyRadiusKey
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control Switch(config)# interface g0/12 Switch(config-if)# switchport mode access Switch(config-if)# dot1x port-control auto
Note that the interface must be set to static access mode. If left in dynamic mode (where DTP is used to negotiate the port's function as either access or trunking), the switch will issue an error message stating that 802.1X cannot be configured on dynamic ports.
If you're inquisitive like me and issue a question mark to invoke the context-sensitive help in the midst of issuing a new command, you might have noticed that the dot1x port-control interface command has three options. These are:
auto - Normal 802.1X authentication
force-authorized - No 802.1X authentication is used (this is the default setting, to prevent service interruption while deploying 802.1X)
force-unauthorized - Ignores authentication attempts, port is always unauthorized
You can use the show dot1x command to verify the configuration of your client-facing interface:
Switch# show dot1x interface g0/12 Supplicant MAC AuthSM State = N/A BendSM State = N/A PortStatus = N/A MaxReq = 2 MaxAuthReq = 2 HostMode = Single PortControl = Auto QuietPeriod = 60 Seconds Re-authentication = Disabled ReAuthPeriod = 3600 Seconds ServerTimeout = 30 Seconds SuppTimeout = 30 Seconds TxPeriod = 30 Seconds Guest-Vlan = 0
01-09-2019 10:10 AM
01-09-2019 11:40 AM
01-09-2019 02:08 PM
01-09-2019 02:18 PM
What error messages do you get on the NPS server?
Does the client computer have a certificate issued from the AD Domain and the same certificate is trusted on the NPS server.
Does this link provide some information to help configure NPS and the client
01-09-2019 02:44 PM
01-09-2019 02:51 PM
01-09-2019 03:01 PM
I checked for the eap traffic thought in the radius server. I will check for the radius traffic once again.
Also, i have configured the port as below:
interface GigabitEthernet1/0/4
switchport access vlan 700
switchport mode access
authentication port-control auto
spanning-tree portfast
I don't get the option on dot1x for the port-control;
DISW06E(config-if)#dot1x ?
authenticator Configure authenticator parameters
credentials Credentials profile configuration
default Configure Dot1x with default values for this port
max-reauth-req Max No. of Reauthentication Attempts
max-req Max No. of Retries
max-start Max No. of EAPOL-Start requests
pae Set 802.1x interface pae type
supplicant Configure supplicant parameters
timeout Various Timeouts
I don't know why. Might be because of my iso image version.
01-09-2019 03:06 PM
You need a few more interface level commands configured for dot1x to work. E.g:-
Interface
interface gigabitethernet 1/0/1
switchport mode access
switchport access vlan 11
spanning-tree bpduguard enable
spanning-tree portfast
authentication event fail action next-method
authentication host-mode single-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
Global
aaa new-model
ip device tracking
dot1x system-auth-control
aaa group server radius ISE
server 192.168.10.14 auth-port 1645 acct-port 1646
server 192.168.10.4 auth-port 1645 acct-port 1646
load-balance method least-outstanding batch-size 5
aaa server radius dynamic-author
client 192.168.10.4 server-key cisco1234
client 192.168.10.14 server-key cisco1234
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting update periodic
aaa accounting dot1x default start-stop group ISE
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server dead-criteria time 30 tries 3
radius-server host 192.168.10.14 auth-port 1645 acct-port 1646 key cisco1234
radius-server host 192.168.10.4 auth-port 1645 acct-port 1646 key cisco1234
radius-server deadtime 30
radius-server vsa send accounting
radius-server vsa send authentication
01-14-2019 08:57 AM - edited 01-14-2019 08:57 AM
I am sorry I was out for a while. I will be testing the configuration today though.
Thank you for your help.
01-17-2019 10:48 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide