I would try to use 802.1X port authentication
all devices will need to have an 802.1X client but you should be able to achieve a MAC based Vlan.
Using IEEE 802.1x Authentication with VLAN Assignment
Before Cisco IOS Release 12.1(14)EA1, when an IEEE 802.1x port was authenticated, it was authorized to be in the access VLAN configured on the port even if the RADIUS server returned an authorized VLAN from its database. Recall that an access VLAN is a VLAN assigned to an access port. All packets sent from or received on this port belong to this VLAN.
However, with Cisco IOS Release 12.1(14)EA1 and later releases, the switch supports IEEE 802.1x authentication with VLAN assignment. After successful IEEE 802.1x authentication of a port, the RADIUS server sends the VLAN assignment to configure the switch port. The RADIUS server database maintains the username-to-VLAN mappings, assigning the VLAN based on the username of the client connected to the switch port. You can use this feature to limit network access for certain users.
Hope to help
Thanks for the info. But I cannot get hold on how it works in practice. And the doc does not talk about MAC Based VLAN.
Say I switch on my PC. Now how does the Radius server know that the PC's MAC Address is assigned to VLAN x, for example.(I certainly would not want the user to have to enter any network password etc except the domain login to Active Directory)
with 802.1X you can authenticate the device that has an 802.1X client, so for each device client the Radius server will have some associated attributes including the Vlan assignment.
The device will be identified by its MAC address/username and if authentication is OK it will be placed in the vlan as per Radius attributes.
You should be able to make the 802.1X client starting at PC startup and holding credentials (username. pwd).
After getting network access the user will need to perform login to Active Dir as usual.
Call it device based vlan assignment, but the end result should be very close to what you are looking for.
Hope to help
This is certainly interesting to me.
1. So there a 802.1x client to install on each PC. The login details (which is matched on the allowed list of the Radius Server) are preset. Am I correct here?
Is there no way of synchronising it with Active Directory?
2. Also your explanation is somewhat close to a VPMS server. What are the differences/advantages/disadvantages of 802.1x over VPMS?
You really don't have to install anything the 802.1x is in both xp and vista and can be added to 2000 with a patch.
The radius servers job is to define which vlan as well as some access rules that user can have. If you want you can make the radius server ask a AD server to validate the user and password you can. A local userid password is only one option this can really ask any remote server like a one time token server.
You could even run the radius on the same server as the AD server.
Been a long times since I heard talk of VMPS. Ya it is sorta like a 802.1x but you have to hard code all those stupid mac addresses. Nice thing about 802.1x is that it is tied to a user/password rather than some mac address that almost any pc can change. It used to take some skill to forge a mac now you just go into the properties box and type it in on the newer machines.
I had also thought of VMPS but I'm afraid it can lead to some problems with some features like VoIP and others.
Nice to hear that on Win XP and Vista 802.1X client is already present (as the IPv6 stack).
Good point is that a PC NIC and its MAC address can change over time.
This is actually better than I was looking for. No need for MAC Based VLAN or VMPS
Here is my future plans:
1) In the next few days, we will install Windows 2008 Active Directory
2) In Win2008, there is a feature called Network Policy Server which enables the Radius Service.
3) Somehow all my Windows clients will authenticate 802.1x with the Radius server with the user logins on Active Directory, ie the Radius server will check the credentials on AD (I have no idea how to do this at the moment)
4) After login is verified, the Cisco switch port is reconfigured to the appropriate access VLAN. (Need to find out how to do this too)
Anyone has tried this setup?
Here are my issues:
a) What happens if I have a PC connected to Cisco IP Phone? Both need to be on its own VLANs. Only the access VLAN will be configured not the Voice VLAN?
After going through tutorials on the web, I realise that Radius Server has nothing to do with Active Directory.
1. In fact, does 802.1x authentication even require a Radius Server??
Regarding IP Phone, it simply Access VLAN that will be changed and not Voip vlan.
2. My query is say I have a compliant VLAN and a non-compliant VLAN. I connect an unmanaged switch to a Cisco port set for 802.1x authentication. 2 PCs are connected to the unmanaged switch. One is compliant while the other is not. How will the Cisco port be configured?
To configure VLAN assignment you need to perform these tasks:
â¢Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server.
â¢Enable IEEE 802.1x authentication. (
>>>The VLAN assignment feature is automatically enabled when you configure IEEE 802.1x authentication on an access port).
â¢Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch:
- Tunnel-Type = VLAN
- Tunnel-Medium-Type = 802
- Tunnel-Private-Group-ID = VLAN name or VLAN ID
Attribute  must contain the value VLAN (type 13). Attribute  must contain the value 802 (type 6). Attribute  specifies the VLAN name or VLAN ID assigned to the IEEE 802.1x-authenticated user
This example shows how to specify an authorized VLAN in the RADIUS server database:
cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
you should use only managed switches in my humble opinion otherwise you are exposed to possible attack like putting a switch there in order to get access.
I think you can configure the managed switch port to go to errdisable state if it receives a MAC address that has not passed the 802.1X authentication
IEEE 802.1x Host Mode
You can configure an IEEE 802.1x port for single-host or for multiple-hosts mode. In single-host mode (see Figure 10-1), only one client can be connected to the IEEE 802.1x-enabled switch port. The switch detects the client by sending an EAPOL frame when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state.
or combine 802.1X with port security
Hope to help