Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1153
Views
0
Helpful
5
Replies

Control access to LAN via Radius

moabdallah
Level 1
Level 1

‎07-17-2007 08:52 AM - edited ‎03-05-2019 05:20 PM

Is it possible use radius to control access of devices to network by using their mac addresses to authenticate to a cisco swich port via radius and assign the vlan to the port via the radius too ?

Regards

Mohamed

Labels:
0 Helpful
5 Replies 5

froggy3132000
Level 3
Level 3

‎07-17-2007 09:37 AM

look at 802.1x

0 Helpful

moabdallah
Level 1
Level 1
In response to froggy3132000

‎07-17-2007 01:41 PM

Hi,

I don't want to authenticate with username and password

Only to check the mac address and assign the VLAN according to the MAC address of the device

Regards

Mohamed

0 Helpful

stephen.stack
Level 4
Level 4
In response to moabdallah

‎07-18-2007 08:40 AM

Hi,

I just completed this very setup just last week. You can use dot1x with Mac Auth Bypass.

See here... http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/dot1x.html#wp1203853

My Config was as follows;

On the RADIUS server configure both the username and password as the PC/Laptop MAC address.

Also on the RADIUS server configure these options... i used Cisco ACS RADIUS Server.

?Tunnel-Type = VLAN

?Tunnel-Medium-Type = 802

?Tunnel-Private-Group-ID = (VLANNumber)

Now globally on the switch configure this;

!

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

!

dot1x system-auth-control

!

radius-server host 172.16.0.1 auth-port 1645 acct-port 1646 key cisco

radius-server source-ports 1645-1646

radius-server deadtime 1

!

And on the interfaces configure this;

!

interface FastEthernet 0/1

switchport mode access

switchport nonegotiate

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 2

dot1x timeout tx-period 2

dot1x max-reauth-req 1

spanning-tree portfast

!

Yoy may notice that i have changed the dot1x timeouts. My reason was that dot1x was taking too long to authorize the MAC address and then bring up the port (about 40 -60 seconds) (I am open to correction on this as i was only testing it last week :) ).

By reducing the dot1x timeouts the MAC was authorised and the port was brought up quicker.

I hope this helps

Please rate if it does.

Regards

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

moabdallah
Level 1
Level 1
In response to stephen.stack

‎07-18-2007 12:34 PM

Hi,

I don't want the PC/laptop to prompt for username and password

Only MAC address authentication without enter any username and password

Can I dod this via Mac authentication bypass feature ?

Regards

Mohamed

0 Helpful

stephen.stack
Level 4
Level 4
In response to moabdallah

‎07-18-2007 01:22 PM

Of Course :)

The MAC-Auth-Bypass will not prompt for username and password. The auth process is completely transparent to the end user. However, there is one thing to remember, If dot1x is enabled on the client i.e. Windows XP dot1x, then xp will try to authorize against dot1x and it will look for a certificate also. You must turn off dot1x on your client PCs for this to work properly..... no problem though :)

Regards

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful
Customers Also Viewed These Support Documents