Re: Authentication configuration for L3 Switch

lmanavalan · ‎04-07-2009

There are 2 switches: one is Layer 3 switch and access Switch.

Need to add new Vlan (vlan200) that will be used to provide the users access to the server. And need to restrict access to vlan (vlan100) in the following manner:

1. User connecting to access Switch's port must be authenticated before they are given access to the network. Authentication is to be done via Radius server:

Radius Server host: 172.120.39.46

Radius Key: CISCO

Authentication should be implemented as close to the host device possible.

2. Devices on vlan100 are restricted to in the address of 172.120.40.0/24

Packets from devices in the address range of 172.120.40.0/24 should be passed on vlan100

Packets from devices in any other address range should be dropped on vlan100

Filtering should be implemented as close to the server farm as possible

Config for the Access Switch

!

aaa new-model

radius-server host 172.120.39.46 key CISCO

aaa authentication dot1x default group radius

aaa authentication network default group radius

dot1x system- authentication-control

!

int range fa0/1 - 20

switchport mode access

dot1x port-control auto

switchport access vlan 100

!

Config for the Layer 3 Switch

!

ip access-list extended checklist

permit ip 172.120.40.0 0.0.0.255

!

vlan access-map allow vlan100

match ip address checklist

action forward

!

or can i user it this way

access-list 10 permit 172.120.40.0 0.0.0.255

!

ip access-group 10 in

!

Leo Laohoo · ‎04-07-2009

Errr ...

1. dot1x port-control auto is for NAC. Do you have a NAC server?

2. Where's your trunk?

3. What interface do you intend to apply "ip access-group 10 in"?

lmanavalan · ‎04-07-2009

Yep, there is a RADIUS server installed.

Trunk is also configured between Layer 3 switch (gi0/48)and access switch (gi0/1).

And ip access-group 10 in on the Layer 3 switch (gi0/48)interface