Re: retrict access to WAN only for domain computers

kazarsm · ‎02-18-2018

Hello,

I have a WAN of 200 hosts (domain users with limited profiles), and some users connect their laptops to the port and connect to the WAN and internet, I want to restrict computers that are not from the domain from connecting to the WAN.
I'm using Windows server 2008 r2 (DHCP server) and Cisco catalyst 2970 and 2960.

Julio E. Moisa · ‎02-18-2018

Hi

Could you please provide more details and the topology, I think you could use ACLs but what are you meaning with domain?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Georg Pauwen · ‎02-18-2018

Hello,

the only way I see to accomplish this is with dot1x authentication in conjunction with an NPS policy for dot1x on your Windows server. Since you only want to restrict WAN access, you can configure an auth fail Vlan for the unauthenticated users.

Is that an option ?

kazarsm · ‎02-19-2018

I'm really new to this and I would love if you can you assist with documentation or videos to accomplish it . thx in advance

Georg Pauwen · ‎02-19-2018

Hello,

have a look at the two links below. The first describes how to set up the RADIUS, the second how to configure the fallback VLAN. Let us know how much you can figure out and how far you get...

How to Enable Dot1x authentication for wired clients

https://howdoesinternetwork.com/2015/how-to-enable-dot1x-authentication-for-wired-clients

IEEE 802.1X Auth Fail VLAN

https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-auth-fail-vlan.html