IOS Basics: EAP / MAC Authentication
Ausgangslage:
- EAP Clients sollen sich alle zwei Stunden re-autentifizieren
- Clients sollen während dem Connecten innerhalb 10 Sekunden den EAP Request durchführen.
- Nur die MAC Adresse DEAD.BEEF.DEAD darf auf VLAN17 connecten.
EAP Reauthentifizierung anfordern:
AAP1(config)#dot1x timeout ? reauth-period reauthentication interval in seconds supp-response Number of seconds to wait for the supplicant to respond AAP1(config)#dot1x timeout re AAP1(config)#dot1x timeout reauth-period ? <1-65535> Seconds server use server provided reauthentication interval AAP1(config)#dot1x timeout reauth-period 7200
EAP Request timer konfigurieren:
AAP1(config)#dot1 timeout supp-response ? <1-120> Seconds AAP1(config)#dot1 timeout supp-response 120
MAC Accessliste auf VLAN17:
Schritt 1) ACL Erstellen
AAP1(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
AAP1(config)#access-list 700 permit dead.beef.dead 0000.0000.0000
AAP1(config)#access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
Schritt 2) Bridge Group ACL auf RadioInterface aktivieren
AAP1(config-if)#l2-filter ? block-arp avoid arp attack bridge-group-acl Use bridge-group ACLs AAP1(config-if)#l2-filter bridge-group-acl
Schritt 3) ACL auf SubRadioInterface anziehen
AAP1(config-if)#int d0.17 AAP1(config-subif)#bridge-group 17 ? spanning-disabled Disable spanning tree on a bridge group input-lat-service-deny Deny input LAT service advertisements matching a group list input-lat-service-permit Permit input LAT service advertisements matching a group list input-lsap-list Filter incoming IEEE 802.3 encapsulated packets input-type-list Filter incoming Ethernet packets by type code lat-compression Enable LAT compression over serial or ATM interfaces output-address-list Filter packets by destination address output-lat-service-deny Deny output LAT service advertisements matching a group list output-lat-service-permit Permit output LAT service advertisements matching a group list output-lsap-list Filter outgoing IEEE 802.3 encapsulated packets output-type-list Filter outgoing Ethernet packets by type code port-protected There will be no traffic between this interface and other protected subscriber-loop-control Configure subscriber loop control port interface in this bridge group block-unknown-source block traffic which come from unknown source MAC address input-pattern-list Filter input with a pattern list output-pattern-list Filter output with a pattern list path-cost Set interface path cost priority Set interface priority source-learning learn source MAC address unicast-flooding flood packets with unknown unicast destination MAC addresses input-address-list Filter packets by source address AAP1(config-subif)#bridge-group 17 input-address-list ? <700-799> Ethernet address access list AAP1(config-subif)#bridge-group 17 input-address-list 700 AAP1(config-subif)#int d1.17 AAP1(config-subif)#bridge-group 17 input-address-list 700