We are planning to authenticate access to our ResNet network using Dot1x.
If the user does not have dot1x enabled on their device or a device that is not dot1x capable (Wii's, XBOX's etc.), I need the guest VLAN to be able to access some sort of 'registration page' where they can register the MAC address of their device but restrict access from the guest VLAN to anywhere else (especially the internet).
All of this would be so easy if Cisco would only gives us 'mac-auth-bypass' support on the 2950 series but:-
Restricting access on the VLAN is easy by using an inbound IP ACL on the VLAN to restrict access to specific servers/services etc.
My initial thoughts were to assign a specific IP address to the registered MAC addresses using DHCP pools on the guest VLAN but clever users will soon pick up on this and use the 'priviledged range' for their PC thus breaking our requirements for authentication (drop onto the guest vlan - manually assign the right IP address and off they go with NO authentication).
What we need is to allow the user to register the MAC address of their device with the network (along with their identification). The registration system
would then 'punch a hole' in the ACL to allow non-guest access to the device.
Simply put I need an ACL that is controlled by both IP or MAC at the same time - no such beasty exists.
I know I can apply a MAC ACL and an IP ACL to an interface but the default deny-all gets in the way since the IP addresses and/or MAC addresses are initially unknown at the time.
I have fudged a workaround that is not elegant but it works:-
On the 2950 access switches (user ports) I have a service policy applied to the ports that set the DSCP tag based on a class-map that classifies traffic based on a MAC access-list on the switch. This QoS tag is trusted across the network to the VLAN interface on the router. Here there is an extended IP ACL that identifies traffic that has the matcing QoS tag or (and this is the important bit) has an approved destination IP address (ie internal sites and services, even external web sites is possible).
At the moment each of the access switches has to have it's own MAC ACL on it containing source MAC addresses for devices on that switch.This means that the user would have to re-register their MAC address on each switch if they wanted to use the device from a different port elswhere on the ResNet (LAN parties and the like).
What I am trying to achieve is to have the MAC-ACL and Policy-map/Class-map configured on the core switch and use this to 'tag' the traffic as it enters the switch on the trunk ports. All of this is layer 2 but moves to layer 3 at the guest VLAN interface on the central core switch.
I have tried applying the service policy inbound on the trunk ports but it is NOT tagging the traffic at ingress so that the ACL on the VLAN does not pick it up as 'approved' traffic.
So my question is twofold:-
a) How can I apply a similar service policy to the trunk ports?
b) Is there an easier way to do this without replacing the 2950's
=================================================Here are the configs==========================================
Core switch:- Cisco 3560
description DOT1X Guest VLAN
ip address 10.240.249.254 255.255.255.0
ip access-group qos-guest-vlan in
ip access-list extended qos-guest-vlan
5 permit ip any any dscp cs3
6 permit icmp any any dscp cs3
10 permit udp any any eq bootps
20 permit udp any any eq bootpc
30 permit icmp any any echo
40 permit icmp any any echo-reply
50 permit icmp any any host-unreachable
60 permit tcp any host 10.30.249.3 eq 389
70 permit tcp any host 10.30.251.3 eq 389
80 permit udp any host 10.30.249.1
90 permit udp any host 10.30.251.1
100 permit tcp any host 10.30.249.235 eq www
110 permit tcp any host 10.30.249.65 eq smtp
120 permit tcp any host 10.31.251.4 eq www
130 permit tcp any host 10.30.254.2 eq 1645
140 permit tcp any host 10.30.254.2 eq 1646
150 permit tcp any host 10.30.249.202 eq 1645
160 permit tcp any host 10.30.249.202 eq 1646
170 permit tcp any host 10.30.249.14 eq 1645
180 permit tcp any host 10.30.249.14 eq 1646
190 permit tcp any host 10.30.251.2 eq 1645
200 permit tcp any host 10.30.251.2 eq 1646
Access switch - Cisco 2950
class-map match-all registered-macs
match access-group name mac-guest-vlan
set ip dscp 24
mac access-list extended mac-guest-vlan
permit host 0123.4567.89ab any