Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco 2960SF to Port Authentication via MAC Address using Radius

Hi Guys,


Hoping someone again an answer my question...


Here's the scenario:


My boss wants me to restrict my co-employees on freely inserting their devices to our network. He then ask me if I can do a security where the devices should enroll their mac address before connecting to our network to gain internet. After reading some forums I came up in using the following:

a. 2 Cisco Switch 2960SF

b. Radius Server (Free Radius).

c. 3650 Cisco Layer


Connection between Radius and Cisco 2960 is working before when I telnet the ip of the switch it prompts me to username and password and I can use my created user and password...


My problem is that, when I tried to insert a pc to the Cisco Switch to test if the blocking of the port is working, to my surprise I can still connect to the network. I did not add the mac address of the pc to the radius server but still I can connect and access to the internet.






Everyone's tags (1)

Hi deocanave If you have


If you have access to your co-workers devices you can take the MAC address fro those devices after that apply a Port-security policy on the switch .


For example :

Switch(config)# interface gig0/2

Switch(config-if)# switchport mode acess

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum 1

Switch(config-if)# switchport port-security mac-address 00-d0-ba-11-21-31

Switch(config-if)# switchport port-security violation shutdown



Only the MAC address of the device assigned to that port can connect  to the network .


Instead of:


Switch(config-if)# switchport port-security mac-address 00-d0-ba-11-21-31


You can use

Switch(config-if)# switchport port-security mac-address sticky


And the MAC address of the device will be automatically configured but this port only will allow one user.


-Hope this helps -

New Member

HI Sir, Thank you for this...

HI Sir,


Thank you for this... Is there any other way, because we are using Radius server for the purpose of auditing and for our other it that has no knowledge in using cisco commands...






Hi ,  Well I'm not an expert

Hi , 


Well I'm not an expert with RADIUS technology , but If you're using the RADIUS server for auditing and tracking purposes. 


 I would configure the port security on the switch , after that enable the logging and every time the port-secuirty is violated  sent a log to the Radius server.


Hope this helps. 

CreatePlease to create content