IOS Basics: EAP / MAC Authentication

IOS Basics: EAP / MAC Authentication

Ausgangslage:

  • EAP Clients sollen sich alle zwei Stunden re-autentifizieren
  • Clients sollen während dem Connecten innerhalb 10 Sekunden den EAP Request durchführen.
  • Nur die MAC Adresse DEAD.BEEF.DEAD darf auf VLAN17 connecten.

EAP Reauthentifizierung anfordern:

AAP1(config)#dot1x timeout ?
 reauth-period reauthentication interval in seconds
 supp-response Number of seconds to wait for the supplicant to respond 

AAP1(config)#dot1x timeout re
AAP1(config)#dot1x timeout reauth-period ?
 <1-65535> Seconds
 server use server provided reauthentication interval

AAP1(config)#dot1x timeout reauth-period 7200 

EAP Request timer konfigurieren:

AAP1(config)#dot1 timeout supp-response ?
 <1-120> Seconds

AAP1(config)#dot1 timeout supp-response 120

MAC Accessliste auf VLAN17:

Schritt 1) ACL Erstellen

AAP1(config)#access-list ?
 <1-99> IP standard access list
 <100-199> IP extended access list
 <1100-1199> Extended 48-bit MAC address access list
 <1300-1999> IP standard access list (expanded range)
 <200-299> Protocol type-code access list
 <2000-2699> IP extended access list (expanded range)
 <700-799> 48-bit MAC address access list
 dynamic-extended Extend the dynamic ACL absolute timer
 rate-limit Simple rate-limit specific access list

AAP1(config)#access-list 700 permit dead.beef.dead 0000.0000.0000
AAP1(config)#access-list 700 deny 0000.0000.0000 ffff.ffff.ffff 

Schritt 2) Bridge Group ACL auf RadioInterface aktivieren

AAP1(config-if)#l2-filter ?
  block-arp         avoid arp attack
  bridge-group-acl  Use bridge-group ACLs

AAP1(config-if)#l2-filter bridge-group-acl 

Schritt 3) ACL auf SubRadioInterface anziehen

AAP1(config-if)#int d0.17
AAP1(config-subif)#bridge-group  17 ?
  spanning-disabled          Disable spanning tree on a bridge group
  input-lat-service-deny     Deny input LAT service advertisements matching a
                             group list
  input-lat-service-permit   Permit input LAT service advertisements matching a
                             group list
  input-lsap-list            Filter incoming IEEE 802.3 encapsulated packets
  input-type-list            Filter incoming Ethernet packets by type code
  lat-compression            Enable LAT compression over serial or ATM
                             interfaces
  output-address-list        Filter packets by destination address
  output-lat-service-deny    Deny output LAT service advertisements matching a
                             group list
  output-lat-service-permit  Permit output LAT service advertisements matching
                             a group list
  output-lsap-list           Filter outgoing IEEE 802.3 encapsulated packets
  output-type-list           Filter outgoing Ethernet packets by type code
  port-protected             There will be no traffic between this interface
                             and other protected
  subscriber-loop-control    Configure subscriber loop control
          port interface in this bridge group
  block-unknown-source       block traffic which come from unknown source MAC
                             address
  input-pattern-list         Filter input with a pattern list
  output-pattern-list        Filter output with a pattern list
  path-cost                  Set interface path cost
  priority                   Set interface priority
  source-learning            learn source MAC address
  unicast-flooding           flood packets with unknown unicast destination MAC
                             addresses
  input-address-list         Filter packets by source address


AAP1(config-subif)#bridge-group  17  input-address-list ?
  <700-799>  Ethernet address access list

AAP1(config-subif)#bridge-group  17  input-address-list 700

AAP1(config-subif)#int d1.17
AAP1(config-subif)#bridge-group 17 input-address-list 700

 

 

Samuel Heinrich
Senior Network Engineer at Selution AG (Switzerland)
Arbeitet in Raum Basel (Switzerland) als Senior Network Engineer mit über 15 Jahren Erfahrung im Bereich Netzwerk

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.