07-25-2014 06:31 AM - edited 03-07-2019 08:11 PM
Hi Guys,
Hoping someone again an answer my question...
Here's the scenario:
My boss wants me to restrict my co-employees on freely inserting their devices to our network. He then ask me if I can do a security where the devices should enroll their mac address before connecting to our network to gain internet. After reading some forums I came up in using the following:
a. 2 Cisco Switch 2960SF
b. Radius Server (Free Radius).
c. 3650 Cisco Layer
Connection between Radius and Cisco 2960 is working before when I telnet the ip of the switch it prompts me to username and password and I can use my created user and password...
My problem is that, when I tried to insert a pc to the Cisco Switch to test if the blocking of the port is working, to my surprise I can still connect to the network. I did not add the mac address of the pc to the radius server but still I can connect and access to the internet.
Thanks..
07-25-2014 10:09 AM
Hi deocanave
If you have access to your co-workers devices you can take the MAC address fro those devices after that apply a Port-security policy on the switch .
For example :
Switch(config)# interface gig0/2
Switch(config-if)# switchport mode acess
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address 00-d0-ba-11-21-31
Switch(config-if)# switchport port-security violation shutdown
Switch(config-if)#end
Only the MAC address of the device assigned to that port can connect to the network .
Instead of:
Switch(config-if)# switchport port-security mac-address 00-d0-ba-11-21-31
You can use
Switch(config-if)# switchport port-security mac-address sticky
And the MAC address of the device will be automatically configured but this port only will allow one user.
-Hope this helps -
07-25-2014 10:34 PM
HI Sir,
Thank you for this... Is there any other way, because we are using Radius server for the purpose of auditing and for our other it that has no knowledge in using cisco commands...
Thanks...
07-28-2014 09:05 AM
Hi ,
Well I'm not an expert with RADIUS technology , but If you're using the RADIUS server for auditing and tracking purposes.
I would configure the port security on the switch , after that enable the logging and every time the port-secuirty is violated sent a log to the Radius server.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide