Getting around a lack of MAB on 2950 switches

Unanswered Question
Jul 8th, 2010

Hi folks,

We are planning to authenticate access to our ResNet network using Dot1x.

If the user does not have dot1x enabled on their device or a device that is not dot1x capable (Wii's, XBOX's etc.), I need the guest VLAN to be able to access some sort of 'registration page' where they can register the MAC address of their device but restrict access from the guest VLAN to anywhere else (especially the internet).

All of this would be so easy if Cisco would only gives us 'mac-auth-bypass' support on the 2950 series but:-

Restricting access on the VLAN is easy by using an inbound IP ACL on the VLAN to restrict access to specific servers/services etc.

My initial thoughts were to assign a specific IP address to the registered MAC addresses using DHCP pools on the guest VLAN but clever users will soon pick up on this and use the 'priviledged range' for their PC thus breaking our requirements for authentication (drop onto the guest vlan - manually assign the right IP address and off they go with NO authentication).

What we need is to allow the user to register the MAC address of their device with the network (along with their identification). The registration system

would then 'punch a  hole' in the ACL to allow non-guest access to the device.

Simply  put I need an ACL that is controlled by both IP or MAC at the same time - no  such beasty exists.

I know I can apply a MAC ACL and an IP ACL to an interface but the default deny-all gets in the way since the IP addresses and/or MAC addresses are initially unknown at the time.

I have fudged a workaround that is not elegant but it works:-

On the 2950 access switches (user ports) I have a service policy applied to the ports that set the DSCP tag based on a class-map that classifies traffic based on a MAC access-list on the switch. This QoS tag is trusted across the network to the VLAN interface on the router. Here there is an extended IP ACL that identifies traffic that has the matcing QoS tag or (and this is the important bit) has an approved destination IP address (ie internal sites and services, even external web sites is possible).

At the moment each of the access switches has to have it's own MAC ACL on it containing source MAC addresses for devices on that switch.This means that the user would have to re-register their MAC address on each switch if they wanted to use the device from a different port elswhere on the ResNet (LAN parties and the like).

What I am trying to achieve is to have the MAC-ACL and Policy-map/Class-map configured on the core switch and use this to 'tag' the traffic as it enters the switch on the trunk ports. All of this is layer 2 but moves to layer 3 at the guest VLAN interface on the central core switch.

I have tried applying the service policy inbound on the trunk ports but it is NOT tagging the traffic at ingress so that the ACL on the VLAN does not pick it up as 'approved' traffic.

So my question is twofold:-

a) How can I apply a similar service policy to the trunk ports?

b) Is there an easier way to do this without replacing the 2950's


Andrew Torry

=================================================Here are the configs==========================================

Core switch:- Cisco 3560

interface Vlan820
description DOT1X Guest VLAN
ip address
ip access-group qos-guest-vlan in

ip access-list extended qos-guest-vlan
    5 permit ip any any dscp cs3
    6 permit icmp any any dscp cs3
    10 permit udp any any eq bootps
    20 permit udp any any eq bootpc
    30 permit icmp any any echo
    40 permit icmp any any echo-reply
    50 permit icmp any any host-unreachable
    60 permit tcp any host eq 389
    70 permit tcp any host eq 389
    80 permit udp any host
    90 permit udp any host
    100 permit tcp any host eq www
    110 permit tcp any host eq smtp
    120 permit tcp any host eq www
    130 permit tcp any host eq 1645
    140 permit tcp any host eq 1646
    150 permit tcp any host eq 1645
    160 permit tcp any host eq 1646
    170 permit tcp any host eq 1645
    180 permit tcp any host eq 1646
    190 permit tcp any host eq 1645
    200 permit tcp any host eq 1646

Access switch - Cisco 2950

class-map match-all registered-macs
  match access-group name mac-guest-vlan

policy-map registered-macs-policy
  class registered-macs
    set ip dscp 24

mac access-list extended mac-guest-vlan
permit host 0123.4567.89ab any

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion