Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1084
Views
0
Helpful
2
Replies

Authenticating machines using {USER PASS MAC [IP]} or Active Directory

Go to solution
a.m
Level 1
Level 1

‎02-22-2018 02:32 PM - edited ‎02-21-2020 10:46 AM

Hello,

I'm a beginner, I'm working on Cisco switch 2960s, and I need some advice about authentication methods to access the LAN (and not the switch).

I have a set of vlans that can be divided into two subset according to the authentication methods.

In the First vlan subset, I want to authorize only the AD domain members to access the LAN. My objective isn't to get the user-name and the password from the user, but to be sure that the machines belong to the domain.
I want to prevent users from connecting their own machines to the LAN, or to fool the switch using cloned MAC addresses of existing machines. We are against BYOD here X)


In the second vlan subset, I want to authenticate machines that are not members of AD domain, and to be sure that the users won't able to connect new machines.
I thought about combining  the following elements:
1-Username
2-Password
3-MAC address
4-Ip address ( If possible)

With this combination, I can be sure that the user will have only one machines connected, but the user will be able to replace the machine without my authorization.

Is that realizable with 2960s switches ? If not what can I do to get closer to those objectives ?

I have seen some articles about TACACS+ and RADIUS but I'm not very sure that if I can express this constraint using those protocols.

Regards.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎02-22-2018 02:51 PM

You'll be wanting to use wired 802.1x.  This authenticates using RADIUS.  You can use a basic RADIUS server like NPS (Network Policy Server) on your AD controller or Cisco ISE.

 

There is quite a bit of work involved to get all of this going.  I wouldn't take this on if you are a beginner at Cisco networking.  I would get someone in to help you.

 

Otherwise, start reading this guide:

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎02-22-2018 02:51 PM

You'll be wanting to use wired 802.1x.  This authenticates using RADIUS.  You can use a basic RADIUS server like NPS (Network Policy Server) on your AD controller or Cisco ISE.

 

There is quite a bit of work involved to get all of this going.  I wouldn't take this on if you are a beginner at Cisco networking.  I would get someone in to help you.

 

Otherwise, start reading this guide:

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html

0 Helpful

Go to solution
a.m
Level 1
Level 1
In response to Philip D'Ath

‎02-23-2018 01:15 AM

Thank you for confirming this it is possible to do it using radius.

Now, I can go ahead with worrying if it is realizable.

I'm so exited to test this solution.

Kind regards.

0 Helpful
Customers Also Viewed These Support Documents