kwilliams123
asked on
Require authentication for network access ASA.
Hello Experts,
I have an internal network of about 25 computers behind an ASA 5505. The ASA assigns DHCP to whatever connects to the network via LAN or Wireless. I would like to restrict network access to authenticated users. Ideally, I would like to provide a list of authenticated MAC addresses and require username and password for for any device not on the list. My question is: Is this possible with the ASA, and can anyone point me in the right direction to get started? Thank you in advance for your time.
I have an internal network of about 25 computers behind an ASA 5505. The ASA assigns DHCP to whatever connects to the network via LAN or Wireless. I would like to restrict network access to authenticated users. Ideally, I would like to provide a list of authenticated MAC addresses and require username and password for for any device not on the list. My question is: Is this possible with the ASA, and can anyone point me in the right direction to get started? Thank you in advance for your time.
To authenticate the users you need to configure cut-through proxy. You will need a Radius/tacacs server for that. To bypass the authentication for some MAC addresses use mac access list:
something like this:
mac-list MACLIST permit 0003.470d.61aa ffff.ffff.ffff
mac-list MACLIST permit 0003.470d.61bb ffff.ffff.ffff
aaa mac-exempt match MAC
something like this:
mac-list MACLIST permit 0003.470d.61aa ffff.ffff.ffff
mac-list MACLIST permit 0003.470d.61bb ffff.ffff.ffff
aaa mac-exempt match MAC
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your prompt response
try following:
Configuration > Properties > Bridging > MAC Learning
disable mac learning on inside interface, add all mac manually.
The MAC Learning pane lets you disable MAC address learning on an interface. By default, each interface automatically learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired; however, unless you statically add MAC addresses to the table, no traffic can pass through the security appliance.