[RADIATOR] Radiator Access Control on a Cisco Switch

[Gilbert T. Gutierrez, Jr.]

Ian and Hugh,
Thank you for your responses.  Ian, your response, MAB, was what I was
looking for with the exception that I in some cases have 100+ customers on a
single FE port and I cannot have the port shutdown if one customer fails
authentication.  I am trying to find out what the behavior for
"authentication violation restrict" is.  It is not defined in the document
that I was referenced to and I am still trying to find it on the Cisco site.


Gilbert

-----Original Message-----
From: Ian Henderson [mailto:ianh at chime.net.au] 
Sent: Wednesday, April 29, 2009 1:25 AM
To: 'Gilbert T. Gutierrez, Jr.'; 'radiator at open.com.au'
Subject: RE: [RADIATOR] Radiator Access Control on a Cisco Switch

Gilbert T. Gutierrez, Jr. wrote on 2009-04-29:

> I have a handful of Cisco 3550 switches that I have over one thousand
> customers terminating on.  I want to control these customers using only
> their MAC address and Radiator if possible.  I only want a customer to
> take up one IP address and not be able to step on another customer.
> Currently I do this by putting each customer on their own VLAN which is
> a hassle.

The way to do this is using 802.1x and a Cisco feature called
MAC-Auth-Bypass. 802.1x usually requests auth details (username/password)
using EAPoL on each switchport before allowing it access to the network. MAB
changes this behaviour, and sends the MAC address to the RADIUS server as
the username before allowing the port to work (including returning a dynamic
VLAN if required). Its usually used in situations where .1x is required, but
the end station doesn't support it.

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/standalone_
mab_ps6017_TSD_Products_Configuration_Guide_Chapter.html


Rgds,



- I.

--
Ian Henderson, CCIE #14721
Senior Network Engineer, iiNet Limited