MAC Locking
Fixed Switch Configuration Guide 26-7
Response Validation
When the MS-CHAP2-Success attribute is received in an access accept RADIUS response frame, it
will be validated according to RFC2548 and RFC2759. This attribute contains the 42 byte
authenticator response. Upon receipt, the RADIUS client software will calculate its own
authenticator response using the information that was passed in the MS-CHAP2-Response
attribute and the user's passed clear text password.
If the value calculated does not match the value in the attribute, it will be assumed that the
message is not from the RADIUS server and the response message will be dropped. A log
message will be output that indicates this condition has occurred.
Password Changing
If an Access Reject packet is received from the RADIUS server and it includes an MS-CHAP-Error
attribute that indicates that the user's password has expired, the switch will prompt the user for a
new password. If the user appropriately enters a new password, then that password will be sent to
the RADIUS server via the MS-CHAPv2 password change RADIUS attributes.
If the server responds with an Access Accept, then the user will be allowed access and the
password has been successfully changed. If an Access Reject is sent from the server, then the
password has not been changed and the user will be denied access.
Example
This example changes the RADIUS management authentication mode to MS-CHAPv2, then
displays the RADIUS configuration.
A4(su)->set radius attribute mgmt password mschapv2
A4(su)->show radius
RADIUS status: Disabled
RADIUS retries: 2
RADIUS timeout: 5 seconds
RADIUS attribute mgmt password: mschapv2
RADIUS Server IP Address Auth-Port Realm-Type IPsec
-------------- ---------- --------- ----------------- --------
1 10.1.0.27 1812 any disabled
2 192.168.10.10 1812 any enabled
Note that although standard is the factory default mode, once you change the mode to
MS-CHAPv2, you must execute the set radius attribute mgmt password standard command to
change the mode back to standard RADIUS management authentication.
MAC Locking
This feature locks a MAC address to one or more ports, preventing connection of unauthorized
devices through the port(s). When source MAC addresses are received on specified ports, the
switch discards all subsequent frames not containing the configured source addresses. The only
frames forwarded on a “locked” port are those with the “locked” MAC address(es) for that port.
There are two methods of locking a MAC to a port: first arrival and static. The first arrival method
is defined to be locking the first n number of MACs which arrive on a port configured with MAC
locking enabled. The value n is configured with the set maclock firstarrival command.
The static method is defined to be statically provisioning a MAC-port lock using the set maclock
static command. The maximum number of static MAC addresses allowed for MAC locking on a
port is 20 MAC addresses.
To Next Page
Loading...
Need help?
General