LINUX.ORG.RU
ФорумAdmin

Cisco MAB dynamic VLAN.

 ,


0

2

Господа поделитесь опытом MAC авторизации на порту с динамическим присвоением VLAN(Cisco).

!         
interface Ethernet1/1
 switchport mode access
 duplex auto
 authentication order mab dot1x
 authentication port-control auto
 mab 
 spanning-tree portfast
 spanning-tree bpduguard enable

Вот листинг. На коммутаторе даже лога нету о попытке подключения. 802.1x работает наура.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-7-0E/wirel...

По минимуму как-то так:


dot1x system-auth-control

interface Gi0/1
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator

Ну и вся байда с методами aaa и radius. Что в реальности превращается например в

aaa group server radius ISE_RADIUS
 server 1.1.1.1
 server 1.1.1.2
 ip radius source-interface Vlan17
!

aaa authentication dot1x default group ISE_RADIUS
aaa authorization console

aaa authorization network default group ISE_RADIUS 
aaa accounting dot1x default start-stop group ISE_RADIUS
!
aaa server radius dynamic-author
 client 1.1.1.1 server-key Cisco
 client 1.1.1.2 server-key Cisco
!
aaa session-id common
authentication mac-move permit
!
ip dhcp snooping vlan 1-4094
no ip dhcp snooping information option
ip dhcp snooping
ip device tracking
!
dot1x system-auth-control
!
!
interface GigabitEthernet1/0/13
 description Something
 switchport access vlan 101
 switchport mode access
 switchport voice vlan 102
 ip device tracking maximum 10
 ip access-group ACL-ALLOW in
 srr-queue bandwidth share 1 20 20 50
 srr-queue bandwidth shape 0 0 0 0
 priority-queue out 
 authentication event fail action next-method
 authentication event server dead action authorize vlan 1801
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-domain
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 mls qos vlan-based
 macro description SPM-Cat3k-QOS | SPM-Cat3k-QOS
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable
!
- это без dynamic assignment

eabi
()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.