Re: 3550 lock and key

From: M A (ma4d@hotmail.com)
Date: Fri Oct 20 2006 - 10:58:31 ART

• Next message: Theo M: "Re: RTR configuration"
• Previous message: Metin: "Re: Lab 4 Task 4.7"
• Maybe in reply to: Edward Norton: "3550 lock and key"
• Next in thread: Michael Zuo: "RE: 3550 lock and key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

802.1x coupled with RADIUS is a wonderful thing. Upgrade to 12.2(25)SEE or
later. Configure guest-vlan and dot1x auth-fail vlan so that users who
either don't have a dot1x client or who fail dot1x auth can have normal
connectivity. Apply an ACL to the interface that denies access to your
server and permits everything else. Configure a downloadable ACL on your
RADIUS server that allows access to everything and tie it to the
users/groups you want to be able to reach the server. Configure network
authorization on the switch so that the downloadable ACL is passed down.
When your user authenticates successfully, the switch will replace the port
ACL with the one passed down by the RADIUS server and the user will have
access to everything (or you can restrict access by modifying the
downloadable ACL). I haven't tried this with the newer code but I think it
will work.

See
http://www.cisco.com/en/US/customer/products/hw/switches/ps646/products_configuration_guide_chapter09186a00805a6efc.html

Hope this helps,
Matt

----- Original Message -----
From: "Edward Norton" <doubleccie@yahoo.com>
To: "Tim Thornton" <neteng@gmail.com>
Cc: <security@groupstudy.com>; <ccielab@groupstudy.com>
Sent: Thursday, October 19, 2006 11:37 PM
Subject: Re: 3550 lock and key

> according to my understanding to 802.1x ( someone correct me if im wrong )
> is that it will authenticate the users regardless of what traffic they are
> initiating .
>
> my question was that im looking for some feature like the lock and key
> dynamic ACL where the users need to authenticate ONLY if they want to
> access certain server on the network
>
> is this possible to be achieved by dot1x? if not ..is there any other
> feature which can achieve this
>
> thanks
>
> Tim Thornton <neteng@gmail.com> wrote:
> 802.1x is an option, although may be more then what your looking for.
>
> -T
>
>
>
> On 10/19/06, Edward Norton <doubleccie@yahoo.com > wrote: Guys ;
> I have a question here , according the Cisco docs about the ACL on the
> 3550 , the dynamic ACL's are not supported on 3550
> is there any other way which i can use to authenticate users before they
> communicate with a server connected to the switch ?
>
> thanks
>
>
> ---------------------------------
> Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great
> rates starting at 1"/min.
>
>
>
>
>
>
> ---------------------------------
> Do you Yahoo!?
> Next-gen email? Have it all with the all-new Yahoo! Mail.

• Next message: Theo M: "Re: RTR configuration"
• Previous message: Metin: "Re: Lab 4 Task 4.7"
• Maybe in reply to: Edward Norton: "3550 lock and key"
• Next in thread: Michael Zuo: "RE: 3550 lock and key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:06 ART