How to authenticate specific users on a interface

Issue Description

Hello everyone,

I want to present a quite interesting scenario that you might find helpful sometime.

How about if we want to use 802.1x authentication with a radius server to authenticate

more users on an interface.
Ohh, yes. This is not that hard because we can configure 802.1x based on MAC address

and authenticate all users of the interface.

What if we want to authenticate just some users of the interface and let the others access

our network without any restrictions because they are our really good friends. How can

we do this on our switches?

Solution

To explain our proposed solution I would take as reference the picture bellow :

As you can see they are both connected to the same interface, so what can we do?

First we have to configure the interface as hybrid to allow both tagged and untagged

packets. We also have to enable the voice VLAN function on the interface and to

configure the VLAN in question.

After this we remember that the device can manage users through domains. In this case,

we can configure two domains: one for users that will need radius authentication and we

will name it radius4you domain and one for users that won’t need authentication and we

will call it noauth4phone domain.

For this in the AAA view we will create the domains I have just specified and we will set

a radius authentication scheme to one and no authentication for the lucky one.

After we configure the interface, create the domains and the radius server template

(check the hedex) we should enable and configure the dot1x authentication in the system

and interface view.

As a result the switch authenticates the computer with the radius server conform to

the radius4you domain configured.
Since we don’t want to authenticate the phone we tried to trick the switch with the

dot1x mac-bypass command. Because we used this command, when the switch tries

to authenticate the phone and the dot1x authentication fails,  the switch will use the

MAC address of the phone for authentication. Since we created a MAC authentication

domain where no authentication is necessary, when the dot1x authentication fails,

the devices that have the MAC address specified in the mac-authen domain won’t be

authenticated at all.

The configuration example :
System view
#
voice-vlan mac-address 04c5-a44c-98b1 mask ffff-ffff-ffff description phone

//Specifies the OUI   address of voice packets that can be transmitted in the voice VLAN
#
#
domain radius4you
#
dot1x enable          //enable dot1x in system view
dot1x timer reauthenticate-period 100     //sets the re-authentication interval for 802.1x

authentication
mac-authen enable             // enables MAC address authentication
mac-authen domain noauth4phone mac-address 04c5-a44c-98b1 mask ffff-ffff-ffff

//configures an authentication domain for MAC address authentication users
#

AAA view:
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authentication-scheme noauth
authentication-mode none
accounting-scheme default
accounting start-fail online
domain default
domain default_admin
domain radius4you
authentication-scheme radius
radius-server  acs
domain noauth4phone           // creates nouaht4phone domain in aaa view
authentication-scheme noauth     // applies the noauth authentication-scheme to the

noauth4phone domain

The interface view:
#
interface Ethernet5/0/20
voice-vlan 184 enable             // configures and enables the 184 voice vlan
voice-vlan mode manual
voice-vlan legacy enable          //enables CDP-compatible Voice VLAN function
port hybrid pvid vlan 183
port hybrid tagged vlan 184
port hybrid untagged vlan 183
stp disable
bpdu bridge enable
dot1x mac-bypass       //Once 802.1x authentication fails, the device uses the MAC

address   for authentication
#

I hope this example is helpful if you want to configure this scenario in the future. Thank you

 

Categories:

Tags:

Comments are closed