We are planning to authenticate access to our ResNet network using Dot1x.
If the user does not have dot1x enabled on their device or a device that is not dot1x capable (Wii's, XBOX's etc.), I need the guest VLAN to be able to access some sort of 'registration page' where they can register the MAC address of their device but restrict access from the guest VLAN to anywhere else (especially the internet).
All of this would be so easy if Cisco would only gives us 'mac-auth-bypass' support on the 2950 series but:-
Restricting access on the VLAN is easy by using an inbound IP ACL on the VLAN to restrict access to specific servers/services etc.
My initial thoughts were to assign a specific IP address to the registered MAC addresses using DHCP pools on the guest VLAN but clever users will soon pick up on this and use the 'priviledged range' for their PC thus breaking our requirements for authentication (drop onto the guest vlan - manually assign the right IP address and off they go with NO authentication).
What we need is to allow the user to register the MAC address of their device with the network (along with their identification). The registration system
would then 'punch a hole' in the ACL to allow non-guest access to the device.
Simply put I need an ACL that is controlled by both IP or MAC at the same time - no such beasty exists.
I know I can apply a MAC ACL and an IP ACL to an interface but the default deny-all gets in the way since the IP addresses and/or MAC addresses are initially unknown at the time.
I have fudged a workaround that is not elegant but it works:-
On the 2950 access switches (user ports) I have a service policy applied to the ports that set the DSCP tag based on a class-map that classifies traffic based on a MAC access-list on the switch. This QoS tag is trusted across the network to the VLAN interface on the router. Here there is an extended IP ACL that identifies traffic that has the matcing QoS tag or (and this is the important bit) has an approved destination IP address (ie internal sites and services, even external web sites is possible).
At the moment each of the access switches has to have it's own MAC ACL on it containing source MAC addresses for devices on that switch.This means that the user would have to re-register their MAC address on each switch if they wanted to use the device from a different port elswhere on the ResNet (LAN parties and the like).
What I am trying to achieve is to have the MAC-ACL and Policy-map/Class-map configured on the core switch and use this to 'tag' the traffic as it enters the switch on the trunk ports. All of this is layer 2 but moves to layer 3 at the guest VLAN interface on the central core switch.
I have tried applying the service policy inbound on the trunk ports but it is NOT tagging the traffic at ingress so that the ACL on the VLAN does not pick it up as 'approved' traffic.
So my question is twofold:-
a) How can I apply a similar service policy to the trunk ports?
b) Is there an easier way to do this without replacing the 2950's
=================================================Here are the configs==========================================
Core switch:- Cisco 3560
interface Vlan820 description DOT1X Guest VLAN ip address 10.240.249.254 255.255.255.0 ip access-group qos-guest-vlan in end
ip access-list extended qos-guest-vlan 5 permit ip any any dscp cs3 6 permit icmp any any dscp cs3 10 permit udp any any eq bootps 20 permit udp any any eq bootpc 30 permit icmp any any echo 40 permit icmp any any echo-reply 50 permit icmp any any host-unreachable 60 permit tcp any host 10.30.249.3 eq 389 70 permit tcp any host 10.30.251.3 eq 389 80 permit udp any host 10.30.249.1 90 permit udp any host 10.30.251.1 100 permit tcp any host 10.30.249.235 eq www 110 permit tcp any host 10.30.249.65 eq smtp 120 permit tcp any host 10.31.251.4 eq www 130 permit tcp any host 10.30.254.2 eq 1645 140 permit tcp any host 10.30.254.2 eq 1646 150 permit tcp any host 10.30.249.202 eq 1645 160 permit tcp any host 10.30.249.202 eq 1646 170 permit tcp any host 10.30.249.14 eq 1645 180 permit tcp any host 10.30.249.14 eq 1646 190 permit tcp any host 10.30.251.2 eq 1645 200 permit tcp any host 10.30.251.2 eq 1646
Access switch - Cisco 2950
class-map match-all registered-macs match access-group name mac-guest-vlan
policy-map registered-macs-policy class registered-macs set ip dscp 24
mac access-list extended mac-guest-vlan permit host 0123.4567.89ab any
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...