[RADIATOR] Radiator Access Control on a Cisco Switch
Ian Henderson
ianh at chime.net.au
Wed Apr 29 03:25:28 CDT 2009
Gilbert T. Gutierrez, Jr. wrote on 2009-04-29:
> I have a handful of Cisco 3550 switches that I have over one thousand
> customers terminating on. I want to control these customers using only
> their MAC address and Radiator if possible. I only want a customer to
> take up one IP address and not be able to step on another customer.
> Currently I do this by putting each customer on their own VLAN which is
> a hassle.
The way to do this is using 802.1x and a Cisco feature called MAC-Auth-Bypass. 802.1x usually requests auth details (username/password) using EAPoL on each switchport before allowing it access to the network. MAB changes this behaviour, and sends the MAC address to the RADIUS server as the username before allowing the port to work (including returning a dynamic VLAN if required). Its usually used in situations where .1x is required, but the end station doesn't support it.
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/standalone_mab_ps6017_TSD_Products_Configuration_Guide_Chapter.html
Rgds,
- I.
--
Ian Henderson, CCIE #14721
Senior Network Engineer, iiNet Limited
More information about the radiator
mailing list