From: Michael Zuo (mzuo@ixiacom.com)
Date: Fri Oct 20 2006 - 19:41:34 ART
what about in the lab test environment where there is no Radius?
thanks
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
M A
Sent: Friday, October 20, 2006 6:59 AM
To: Edward Norton
Cc: security@groupstudy.com; ccielab@groupstudy.com
Subject: Re: 3550 lock and key
802.1x coupled with RADIUS is a wonderful thing. Upgrade to 12.2(25)SEE
or
later. Configure guest-vlan and dot1x auth-fail vlan so that users who
either don't have a dot1x client or who fail dot1x auth can have normal
connectivity. Apply an ACL to the interface that denies access to your
server and permits everything else. Configure a downloadable ACL on
your
RADIUS server that allows access to everything and tie it to the
users/groups you want to be able to reach the server. Configure network
authorization on the switch so that the downloadable ACL is passed down.
When your user authenticates successfully, the switch will replace the
port
ACL with the one passed down by the RADIUS server and the user will have
access to everything (or you can restrict access by modifying the
downloadable ACL). I haven't tried this with the newer code but I think
it
will work.
See
http://www.cisco.com/en/US/customer/products/hw/switches/ps646/products_
configuration_guide_chapter09186a00805a6efc.html
Hope this helps,
Matt
----- Original Message -----
From: "Edward Norton" <doubleccie@yahoo.com>
To: "Tim Thornton" <neteng@gmail.com>
Cc: <security@groupstudy.com>; <ccielab@groupstudy.com>
Sent: Thursday, October 19, 2006 11:37 PM
Subject: Re: 3550 lock and key
> according to my understanding to 802.1x ( someone correct me if im
wrong )
> is that it will authenticate the users regardless of what traffic they
are
> initiating .
>
> my question was that im looking for some feature like the lock and
key
> dynamic ACL where the users need to authenticate ONLY if they want to
> access certain server on the network
>
> is this possible to be achieved by dot1x? if not ..is there any
other
> feature which can achieve this
>
> thanks
>
> Tim Thornton <neteng@gmail.com> wrote:
> 802.1x is an option, although may be more then what your looking
for.
>
> -T
>
>
>
> On 10/19/06, Edward Norton <doubleccie@yahoo.com > wrote: Guys ;
> I have a question here , according the Cisco docs about the ACL on the
> 3550 , the dynamic ACL's are not supported on 3550
> is there any other way which i can use to authenticate users before
they
> communicate with a server connected to the switch ?
>
> thanks
>
>
> ---------------------------------
> Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great
> rates starting at 1"/min.
>
>
>
>
>
>
> ---------------------------------
> Do you Yahoo!?
> Next-gen email? Have it all with the all-new Yahoo! Mail.
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:06 ART