cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
806
Views
0
Helpful
3
Replies

LAN Authorization with Cat5500 switch

alain.desnoyers
Level 1
Level 1

Hi all,

I have a client who has a request for me to provide security using Tacacs+ or Radius with RSA ACE/Server. Here is a detailed description of what the client wants, any ideas on how to accomplish this.

Here it is:

The requirement is that prior to accessing he network the user must log in to the Switch, the switch will validate the users via Radius or

Tacas+ and establish a VLAN for the user. The VLAN must be locked to the physical switch port, ip address, protocol and virtual port. (Port 12 Slot

3, 10.xxx.xxx.4, TCP/IP, 80) would be an entry for a WWW server on our internal LAN. The same conditions apply regardless of if you are internal

or external as once you have access to the network the first thing you see is the switch authentication (SW may be needed on the clients to do this)

The VLAN's will be user based and no traffic will be allowed for unprotected sessions, the exception needs to be on the server side where

VLANs will be established for all traffic thereby allowing things like NTP or DNS resolutions.

A user may be allowed to access only one port and if the system or machine does not have a VLAN allowing access, then even with root access, they can

not jump/hop from there. Note this means an explicit VLAN for any user connection is needed, so that if I am allowed to access a physical switch

port, ip address, protocol and virtual port and it in turn is allowed to get to another physical switch port, ip address, protocol and virtual port.

it must be listed in my VLAN

Thanks

3 Replies 3

ciscomoderator
Community Manager
Community Manager

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you, or there is no public information available at this time. If you don't get a suitable response to your post, you may wish to review our resources at the online http://www.cisco.com/go/solutions. You may also contact our product information line at 1-800-553-NETS or a Cisco Systems Engineer at your local Cisco office or reseller. To locate your local Cisco representative, visit http://www.cisco.com/warp/public/687/Directory.shtml

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

Juha Polkko
Level 4
Level 4

Hi!

Cisco IOS Firewall Authentication Proxy provides dynamic, per-user authentication and authorization, authenticating users against TACACS+ and RADIUS authentication protocols.

You need only RSM with IOS Firewall feature set and CiscoSecure ACS.

More details:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdauthp.htm

BR Juha

udechimee
Level 1
Level 1

Hello,

This response might be rather too late to your problem. The reason being, I am new to the forum, was going thru the threads and noticed that your question was not addressed.

I believe you can utilize VMPS to achieve the solution.

With VMPS, you can assign switch ports to VLANs dynamically, based on the source Media Access Control (MAC) address of the device connected to the port. When you move a host from a port on one switch in the network to a port on another switch in the network, the switch assigns the new port to the proper VLAN for that host dynamically.

I have implemented on the Bank security configuration.

Sorry if this came late. Hopefully, if not that this will help.

Elias

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: