Higher Education

Has anyone done this? Or, does someone know how to configure this up for hardwired clients and could enlighten me? Preferably using the user derivation rules if possible...

 

As always, thanks to anyone who responds!

Attempting email reply.

We do MAC auth & 802.1X on Cisco switch ports. We do not (yet) do RADIUS CoA

By default the switch will try 802.1X & then MAC auth. Since the 802.1X timeout is so long, we use the following port configuration.

authentication order mab dot1x
authentication priority dot1x mab
​​​​​
This tells the switfch to try MAC auth first, but switch to 802.X if it receives an EAP packet.


Bruce Osborne
Wireless Engineer
IT Network Services - Wireless

(434) 592-4229

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Training Champions for Christ since 1971

We use ClearPass & register the mac auth devices as Known Endpoints.

 

We also associate a username to the device so we can monitor Internet usage per user.

So you want to manually register non-1X capable devices? Is this with ClearPass?

---

@cappalli wrote:
So you want to manually register non-1X capable devices? Is this with ClearPass?

---

@cappalli - yes, exactly, and controller only, no clearpass. If this were a clearpass set up I would do it differently as I would have a lot more options.

What system/database are you going to use for registration?

​​​​​

Bruce Osborne
Wireless Engineer
IT Network Services - Wireless

---

@bosborne@liberty.edu wrote:
What system/database are you going to use for registration?

​​​​​

Bruce Osborne
Wireless Engineer
IT Network Services - Wireless

---

@bosborne - the end devices are not capable of any other sort of authentication, they are online, they have a mac address and an ip address, i need to secure them. If this were a ClearPass environment, I would add the devices as known endpoints and go that route but this is not such an environment. This is a controller only network and I was thinking about using the user derivation rules for mac lists.

 

The wireless side, no worries, done. Hard line side though, got three VLANs coming in, say VLAN 100, 200 & 300. The devices on these VLANs are not capable of authentication on their own, hence looking at MAC authentication. I was thinking about the user derivation rules as then I could create static mac lists for each VLAN. (also, not talking about hundreds of devices per VLAN, maybe 20 to 30). 

 

Anyway, I need them to authenticate somehow so that I can put them in a role and then manipulate as per normal (inter-vlan routing, session firewall ACLs, etc...) Make sense?

Yeah. The switch does mac auth due to the “dumb” client. I believe the switch needs an authentication server to perform the lookup, though.

You mention a controller. Are you connecting these devices directly to the controller? I am confused about the architecture here.
​​​​​

Bruce Osborne
Wireless Engineer
IT Network Services – Wireless

Liberty University

Training Champions for Christ since 1971

---

@bosborne@liberty.edu wrote:
Yeah. The switch does mac auth due to the “dumb” client. I believe the switch needs an authentication server to perform the lookup, though.

You mention a controller. Are you connecting these devices directly to the controller? I am confused about the architecture here.
​​​​​

Bruce Osborne
Wireless Engineer
IT Network Services – Wireless

Liberty University

Training Champions for Christ since 1971

---

Maybe this will help!

 

So is the diagram I posted possible? Could it be made to work? Would I need a Mobility Access Switch? 

Or am I trying to do something the controller is just not capable of. That's what I need to figure out.

 

I need a drink...

 

;-)

The best way to do this is at the switch using clearpass or another database for authentication.  Having the controller try to enforce access upstream from the switch still allows any device on a switchport to communicate with other devices.  User defined mac address rules do not scale, because they are tedious to maintain...