07-15-2007 11:18 PM - edited 03-05-2019 05:18 PM
Dear Cisco-ers,
I've been asked to deny any unauthorized Layer 2 traffic at my office. So, if any unlisted MAC Address is accessing our traffic.
I do this on the switch level right? Now I'm confused about the method i'm using. Should I use switchport security? (i've presented this to my boss and he said it's not effective). what is effective switchport security...
OR should I use Mac address access-list?
Please enlight
Thanks
07-15-2007 11:26 PM
Hi
Well that is a bit of an open ended request.
You could use port-security and manually code each port with the relevant mac-address but this is an admin nightmare.
You could look into mac-address authentication using a radius server so you then just need to keep a list of allowed mac-addresses on your network. Easier than first but still a large admin overhead.
You could go the whole hog and do user based dot1x authentication on the switches so only authenticated users can get onto the network.
What exactly is your boss worried about ?
Jon
07-16-2007 12:02 AM
well, my IT Manager is worried about various guests from my big-director carrying their own notebooks and he's afraid the guests are accessing to our company's data and all.
So, what do you suggest? dot1x or Radius? and what do I require to obtain those needs?
well, i've predicted this is some kind of a complicated work, but.. as long as I get paid, right :)
07-16-2007 12:11 AM
Hi
Well if you are worried about guest connecting in their own laptops to your network then you will need to look at 802.1x authentication, whether it be mac-address authentication or user based authentication.
You will need a radius server, cisco version is the ACS server but Microsoft also comes with a free one called IAS.
What switches do you have ? You can search on Cisco site with the switch type and 802.1x
eg "3550 configuration 802.1x" and this sould bring up some docs that will get you started.
HTH
Jon
07-16-2007 12:44 AM
Well, I used the ol' 2950, which I believe don't come along with 802.1x
so, the point is if I dont use a 802.1x capabled switch, I can't use 802.1x feature?
I have a Linksys SRW224P and it includes a 802.1x. can i use it? is it compatible with Cisco switches?
07-16-2007 01:37 AM
To implement 802.1x you will need 802.1x compatible switches.
I've played with 802.1x authentication on a wired Lan and there are a few other things you will need to check.
First off all clients must be Win 2k or XP or you will need to obtain additional software to get them to authenticate.
Mac OS X and most Linux distributions support 802.1x but are not easy to configure.
Microsoft IAS is fine, but if you want the authentication to be secure, you will need to use TLS and install a certificate on your radius server and put in place mechanisms to get that cert trusted on your clients.
You might suggest policy and educating your users is a more cost effective and efficient solution.
Write a network policy that forbids the use of non business equipment on the business network and then get it signed off by the director and enforce it.
07-17-2007 06:47 PM
Hi,
I want to implement the same solution
MAC address authentication via Microsoft IAS
Do you have any document to help me in this configuration ?
Regards
Mohamed
07-16-2007 05:00 AM
What is the IOS and exact model number of 2950's you are using. Paste the " show version " from the 2950.
-amit singh
07-16-2007 10:13 PM
Sorry wrong version its 2924:
Cisco Internetwork Operating System Software
IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC10, RELEASE SOFTWARE (fc1)
cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K bytes of memory.
what is Radius server? and am I building the server like the usual Windows 2003 server?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: