MAC-Address based authentication using RADIUS for Cisco Industrial Ethernet Switches.

Occasionally, one doesn't want to permanently assign VLANs per port. For example, let's say we have a laboratory environment. There are instruments around the lab that use Ethernet. People are coming into the lab and bringing their own equipment. We don't want the equipment in the lab to be able to be reached by the people plugging devices in, because the setting is a controlled one. We also don't want to set up a bunch of VLAN assignments in advance. So, what would be nicest, would be if each device which we knew the MAC address of was able to automatically be placed onto the correct VLAN automatically. So we will use a management vLAN (192.168.100.x) , for communication between the switch and the RADIUS Server. Then there's also a PLC vLAN (that has the instruments, 192.168.99.x), and a General Use vLAN (192.168.101.x). ![[Pasted image 20241028193529.png]] Here's the complete switch config. ``` Switch#show run Building configuration... Current configuration : 3572 bytes ! ! Last configuration change at 00:00:32 UTC Mon Jan 2 2006 ! version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Switch ! boot-start-marker boot-end-marker ! ! username ricky privilege 15 password 0 Rocks aaa new-model ! ! aaa authentication dot1x default group radius aaa authorization exec default if-authenticated aaa authorization network default if-authenticated ! aaa session-id common system mtu routing 1500 ! dot1x system-auth-control identity profile default ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! alarm profile defaultPort alarm not-operating syslog not-operating notifies not-operating ! ! vlan internal allocation policy ascending ! lldp run ! interface FastEthernet1/1 switchport mode access authentication port-control auto mab ! interface FastEthernet1/2 switchport mode access authentication port-control auto mab ! interface FastEthernet1/3 switchport mode access authentication port-control auto mab ! interface FastEthernet1/4 switchport mode access authentication port-control auto mab ! interface FastEthernet1/5 switchport access vlan 100 switchport mode access ! interface FastEthernet1/6 ! interface FastEthernet1/7 switchport mode access ! interface FastEthernet1/8 switchport mode trunk ! interface GigabitEthernet1/1 ! interface GigabitEthernet1/2 switchport mode access ! interface Vlan1 ip dhcp client client-id ascii FDO2005U0GL ip address dhcp ! interface Vlan3 ip address 192.168.3.1 255.255.255.0 ! interface Vlan4 ip address 192.168.4.1 255.255.255.0 ! interface Vlan100 ip address 192.168.100.10 255.255.255.0 ! snmp-server community public RO ! radius-server attribute 31 mac format ietf ! radius server rad address ipv4 192.168.100.1 auth-port 1812 acct-port 1813 key SmellySkunk999! ! line con 0 line vty 5 15 ! end ``` Ranges of ports can be set to do this independently. Many networking products today have built-in RADIUS Servers. Take a unifi UCG-MAX for example. ![[Pasted image 20241028194353.png]] Other routers also have built-in RADIUS functionality, for example, pfSense. So what happens here? When a device is plugged in: 1.) The switch uses the RADIUS server to authenticate using the MAC address of the device as the username and password. 2.) The RADIUS server responds with the vLAN which the port should be assigned to. 3.) The switch sets the vLAN of the port to the one as indicated by the RADIUS server. 4.) Any other activities, such as DHCP, occur.