11-29-2009 01:54 AM - edited 03-06-2019 08:45 AM
Hi,
I got 14 Secondary switches C2960 configured with a dot1x and aaa Radius, all authentication happend trought the radius.
My core switch C3750G is connected to all C2960 switches, to the Router and to My ISA/Proxy server.
I have a Guest_VLAN on all Secondary Switches C2960 . i want my Guest to be able only to internet.
I have only one subnet LAN 192.168.210/24.
My idee to create a new subnet 192.168.220/24 (only for routing purpose) with as gateway the isa server ip address.
Do i have to routing the new subnet to the isa server on the layer 3 switch?
Do i have to create alle guest vlan on all switches with the new subnet + gateway?
I want the authentication to radius with Domain computers since the user account reside on another domain.
What are the vendor attribute on the radius?
Advies please.
Thanks alot
11-29-2009 03:51 PM
If I understand it correctly, you want to have a guest VLAN that has no access to your Internal Networkl This guest vlan
is only for Internet traffic.
Assumptions:
1. You are using VTP or GVRP to pupulate the VLAN ID accross multiple switches.
2. You are using trunk ports of some sort between switches and the core.
I would create a new VLAN, all ports on the switches that will be on this VLAN will have a default gateway of the ISA server (So L2 through all your switces). Add an additional NIC to ISA server if not already there and plug that port into a switch on the new VLAN.
Use ACLs to block traffic from the guest to internal since the trunk ports will need to pass all tags.
Use a loopback IP or a mgmt vlan to source the RADIUS traffic.
Hope the helps
Manny
11-30-2009 01:44 AM
Thank you for your feedback,
ACL is for IP restrictions, all my users incl guest are on the same subnet.
Any suggestions will be welkome.
Thanks
11-30-2009 02:26 PM
Please can you help me further,
Can you please tel me step by step how i have to do this configuration.
Core switch 3750G, router and all my secondary 2960 switches are connected to the core switch.
I want all my local users authenticate to Radius for authentication.
I want to create a VLAN for local users and VLAN for guest internet.
Where and how i have to configure the dot1x ( on all example wat i found on google Fasteethernet0/3).
Waht they meen with fastethernet0/3, do i have to set the dot1x on alle switches port fastethernet0/3?
Please can you guide me.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide