IOS Basics: EAP / MAC Authentication

IOS Basics: EAP / MAC Authentication

Ausgangslage:

  • EAP Clients sollen sich alle zwei Stunden re-autentifizieren
  • Clients sollen während dem Connecten innerhalb 10 Sekunden den EAP Request durchführen.
  • Nur die MAC Adresse DEAD.BEEF.DEAD darf auf VLAN17 connecten.

EAP Reauthentifizierung anfordern:

AAP1(config)#dot1x timeout ?
 reauth-period reauthentication interval in seconds
 supp-response Number of seconds to wait for the supplicant to respond 

AAP1(config)#dot1x timeout re
AAP1(config)#dot1x timeout reauth-period ?
  Seconds
 server use server provided reauthentication interval

AAP1(config)#dot1x timeout reauth-period 7200 

EAP Request timer konfigurieren:

AAP1(config)#dot1 timeout supp-response ?
  Seconds

AAP1(config)#dot1 timeout supp-response 120

MAC Accessliste auf VLAN17:

Schritt 1) ACL Erstellen

AAP1(config)#access-list ?
  IP standard access list
  IP extended access list
  Extended 48-bit MAC address access list
  IP standard access list (expanded range)
  Protocol type-code access list
  IP extended access list (expanded range)
  48-bit MAC address access list
 dynamic-extended Extend the dynamic ACL absolute timer
 rate-limit Simple rate-limit specific access list

AAP1(config)#access-list 700 permit dead.beef.dead 0000.0000.0000
AAP1(config)#access-list 700 deny 0000.0000.0000 ffff.ffff.ffff 

Schritt 2) Bridge Group ACL auf RadioInterface aktivieren

AAP1(config-if)#l2-filter ?
  block-arp         avoid arp attack
  bridge-group-acl  Use bridge-group ACLs

AAP1(config-if)#l2-filter bridge-group-acl 

Schritt 3) ACL auf SubRadioInterface anziehen

AAP1(config-if)#int d0.17
AAP1(config-subif)#bridge-group  17 ?
  spanning-disabled          Disable spanning tree on a bridge group
  input-lat-service-deny     Deny input LAT service advertisements matching a
                             group list
  input-lat-service-permit   Permit input LAT service advertisements matching a
                             group list
  input-lsap-list            Filter incoming IEEE 802.3 encapsulated packets
  input-type-list            Filter incoming Ethernet packets by type code
  lat-compression            Enable LAT compression over serial or ATM
                             interfaces
  output-address-list        Filter packets by destination address
  output-lat-service-deny    Deny output LAT service advertisements matching a
                             group list
  output-lat-service-permit  Permit output LAT service advertisements matching
                             a group list
  output-lsap-list           Filter outgoing IEEE 802.3 encapsulated packets
  output-type-list           Filter outgoing Ethernet packets by type code
  port-protected             There will be no traffic between this interface
                             and other protected
  subscriber-loop-control    Configure subscriber loop control
          port interface in this bridge group
  block-unknown-source       block traffic which come from unknown source MAC
                             address
  input-pattern-list         Filter input with a pattern list
  output-pattern-list        Filter output with a pattern list
  path-cost                  Set interface path cost
  priority                   Set interface priority
  source-learning            learn source MAC address
  unicast-flooding           flood packets with unknown unicast destination MAC
                             addresses
  input-address-list         Filter packets by source address

AAP1(config-subif)#bridge-group  17  input-address-list ?
    Ethernet address access list

AAP1(config-subif)#bridge-group  17  input-address-list 700

AAP1(config-subif)#int d1.17
AAP1(config-subif)#bridge-group 17 input-address-list 700

 

 

Samuel Heinrich
Senior Network Engineer at Selution AG (Switzerland)
Arbeitet in Raum Basel (Switzerland) als Senior Network Engineer mit über 15 Jahren Erfahrung im Bereich Netzwerk

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.