VLan assignment through radius server 1

[netNewb]

Hi all!

I'm quite unexperienced with networking so i hope i can get some help here.

What I'm trying to do is that if a client is being assigned to a VLAN when connecting to the switch. The VLAN assignment depending on if the authentification was successfull or failed.
The authentication is realized by a Radius Server in Windows Server 2003.

What I achieved until now is that a client has to authenticate himself when connecting with the switch.

I hope i can get some hints/advice or maybe some good sites which can help me, since I tried some sites (including cisco) which didnt really describe what I really wanted.

P.s. my enviroment is made of a router, a switch, clients and a Windows Server.

Thanks in advance for any help

 

[ADB100]

How are you authenticating the client? There are only two ways for auto VLAN assignement (with Cisco switches). One is VMPS where the client is assigned to a VLAN based on the MAC address (probably not what you want), the 2nd is 802.1x port authentication. 802.1x is probably the best way forward, however this requires an EAP supplicant on each client, plus it fits better in a MS AD network, although other EAP supplicants work.

I would ask why though? Unless you are protecting each VLAN with ACL's or a Firewall then why do you want to assign users to a VLAN based on thier logon ID? They will inevitably be IP clients so their traffic is routable.

I have a setup whereby each 802.1x protected port has an access VLAN that a client will be assigned to should they authenticate sucessfully, plus a Guest/Authentication Fail VLAN should they either have no credentials or fail authentication. The Layer-3 SVI for the Guest/Auth Fail VLAN is configured with ACLs only allowing specific access (DHCP, DNS to the appropriate servers, then a deny for any corporate access and finally only ports 80 & 443 for web access).

HTH

Andy

 

[netNewb]

Hm. I intended to work with 802.1x and the way u setup the network seems to be quite nice. But can u suggest me a site that guides me how to put the ACLs together with authentication fail / guest if the credentials are wrong?

Thanks for the help

 

[ADB100]

The commands have changed quite dramatically in the latest IOS for the switches (12.2(50)SE+ for the stackables and 12.2(50)something for the 4x00 series). If you are running less than 12.2(50) then it's the dot1x commands on the interfaces, if its 12.2(50) then its a combination of the dot1x and authentication interface commands.

I have 12.2(50)SE1 on some 3560's where this is applied and this is my interface config:

interface FastEthernet0/3
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 15
 switchport port-security maximum 3
 switchport port-security maximum 2 vlan access
 switchport port-security maximum 1 vlan voice
 switchport port-security
 switchport port-security aging time 3
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 no logging event link-status
 srr-queue bandwidth share 1 70 25 5
 srr-queue bandwidth shape 3 0 0 0
 priority-queue out
 authentication port-control auto
 authentication periodic
 authentication timer restart 30
 authentication timer reauthenticate server
 authentication violation protect
 no snmp trap link-status
 dot1x pae authenticator
 spanning-tree portfast
 service-policy input IPPHONE+PC-BASIC
 ip dhcp snooping limit rate 100

HTH

Andy