Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
0
Helpful
3
Replies

stop DHCP using radius server

Hisoma Sama
Level 1
Level 1

‎03-10-2019 04:10 AM

hello

 

I have a network4500x as a cores and 2960 as access switches, i want to stop who's not joining domain Microsoft active directory from getting IP, im aware that ISE have the ability to do that, but for now im using microsof NPS Radius server since its free.

 

so im looking for the commands that i should apply to stop DHCP for visitors/guests.

and should it be on both core and access SW's or just on the core

 

thanks in advance

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎03-10-2019 04:15 AM - edited ‎03-10-2019 04:18 AM

You have limitation here :

 

1. IP address come First

2. then you have AD login information.

 

So you need to have mechanish in place detect the known clients to give DHCP IP address.

that only happends when you have some Identity system in place..

 

If you keen to put some time 

try

 

https://packetfence.org/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎03-10-2019 04:32 AM

Hi,

You can configure the 802.1x authentication with Radius server on the switch. first, it will authenticate the system before alow the DHCP.

 

Here are the Guide and Configuration guide on the same.

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.pdf

 

Global Configuration:

! Define a RADIUS server
radius-server host x.x.x.x
radius-server key xxxxxxx
! Configure 802.1X to authenticate via AAA
aaa new-model
aaa authentication dot1x default group radius
! Enable 802.1X authentication globally
dot1x system-auth-control


Interface Configuration
! Static access mode
switchport mode access
! Enable 802.1X authentication per port
dot1x port-control auto
! Configure host mode (single or multi)
dot1x host-mode single-host
! Configure maximum authentication attempts
dot1x max-reauth-req
! Enable periodic reauthentication
dot1x reauthentication
! Configure a guest VLAN
dot1x guest-vlan 123
! Configure a restricted VLAN
dot1x auth-fail vlan 456
dot1x auth-fail max-attempts 3

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Deepak Kumar

‎03-10-2019 04:38 AM

+1 @Deepak Kumar 

 

yes you can consider this solution, i am not sure orginal post user have CA/PKI infrastructure in place..

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card