Restricted specific PCs to Cisco switch ports

I have 60 PCs in my network and I'd like to allow only those PCs into my network. In order words, when one of the 60 PCs is plugged into a Cisco switch port, it will allow to obtain an IP address and access the internal network resources. But if a guest PC is plugged in any switch port, it will not be able to get an IP address or access the internal network. I see that there is a port-security mac-address command where you can specify the MAC address. But how do I use it with 60 PCs? My switches are 2960 and 3750X. Thanks
LVL 1
leblancAccountingAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zephyr ICTCloud ArchitectCommented:
This is called Port Security and you have a few options, as described by Cisco here:


- Static secure MAC addresses—These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.
- Dynamic secure MAC addresses—These are dynamically configured, stored only in the address table, and removed when the switch restarts.
- Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them

So you could configure each switch to allow the MAC-addresses it has learned and are present in the address table of the switch. Depending on how your network is structured and where the 60 workstations are connected, you need to configure this on each switch manually.... Unless you have a script/tool that does this for you.
leblancAccountingAuthor Commented:
So if I understand correctly, I have to manually enter 60 MAC addresses for each switch ports. Hmmm... That is a time consuming process. I am just wondering if there is a better solution than port-security. Thx
Zephyr ICTCloud ArchitectCommented:
Uhm ... No, you don't need to manually configure 60 MAC addresses, the MAC addresses are already in the MAC address table, so you can configure the MAC addres for configuring port security, that is of course, if all the MAC addresses in this table should have access.

Are your workstations moving? Do they change location a lot? If they are not you don't need to configure all 60 MAC addresses on all switches, just configure the switches where the workstations are connected to. If workstation A is connected to switch A and workstation B is also connected to this switch and are't moving, then you can just configure switch A to allow workstation A and B, but not (for example) workstation C because this one is connected to switch B.

This seems to be the best solution in your situation, other options include IPSEC, but that's a lot more work... I'll try to think of other solutions...

Though I also have to say that Port Security isn't the best security feature, it's an extra layer for sure, but a hacker can easily spoof a MAC address and negotiate access that way...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

leblancAccountingAuthor Commented:
"a hacker can easily spoof a MAC address and negotiate access that way" yes definitely. I am just wondering if 802.1x will do the trick. I am not an expert in 802.1x but it will be great if any other experts out there has implemented such a solution. Thx
Zephyr ICTCloud ArchitectCommented:
Of course 802.1x is doable and is a great solution, but it will be much more work than simple Port Security naturally...
You'd require a RADIUS server for starters and probably use a multi-host setup.
leblancAccountingAuthor Commented:
Can anybody out there share his/her experience in implementing 802.1x? Thx
Craig BeckCommented:
You can do 802.1x or you can use MAB (MAC-bypass).  I'd suggest 802.1x over MAB every time as you've already noted that MAC addresses can be spoofed extremely easily.  There are times where you'll need to to MAB though, such as when the device connecting to the switch doesn't support 802.1x.

I've configured 802.1x in hundreds of deployments using a variety of RADIUS servers including Cisco ACS, Cisco ISE, FreeRADIUS, Microsoft IAS/NPS, etc, and can vouch for its effectiveness.  I'd say that to keep your requirement secure you will require RADIUS, but it's relatively simple to configure if you understand the concepts and what's required in order to get it working.

Ideally you should have your own PKI (Certificate services running on your domain).  You don't have to though, especially if you only want to do user authentication.  This is the bit that usually deters people from deploying 802.1x.  You can deploy Microsoft NPS (built-in RADIUS) on a DC or member-server and simply use a self-signed certificate in order to enable the NPS to process EAP-style logins.

I'd go with running your own PKI so you can do user and computer authentication.  You can use GPO to auto-enroll machines and user certificates.  You can also provide a valid certificate to your servers and NPS so it can do EAP-style authentication.  I'd suggest doing EAP-TLS if you want to authenticate computers, while PEAP-MSChapV2 is a good solution if you want to authenticate users when they login to the machine.

You can read about what's involved here...

https://technet.microsoft.com/en-us/library/cc732256%28v=ws.10%29.aspx

On the switch-side of things, there's not a lot to do.  You need to configure a RADIUS server or group on the switch and configure the authentication requirement at the switch and switchport level.  Here's a nice guide...

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.pdf

I can put some sample configs together if it's something you want to do.
leblancAccountingAuthor Commented:
Thanks craigbeck for sharing your thoughts. That is exactly what I need to see. I understand the concept of 802.1X where you have the supplicant (the client), the authenticator (the switches), and the authentication server (radius or ISE for example). I get a bit confused when you talk about PKI. Where does PKI come into the picture? Also, it looks like there is a new way to configure 802.1x which is IBNS 2.0. Do I need to follow IBNS 2.0?
I will check out your links. Thx
Zephyr ICTCloud ArchitectCommented:
Woops, lost track of this thread... Thanks @craigbeck for your great input!

PKI refers to your Certificate infrastructure setup, if you decide to use one, since it's not really a requirement, but it's not too difficult to setup either.

It requires a root CA (which will be offline according to security best practices) and a subordinate CA to issue the certificates, you need to adjust/create some certificate templates and configure auto-enrollment. Using this technique will automatically make all your devices trusted, including the RADIUS server...

Regarding IBNS 2.0, I haven't deployed it myself yet, so can't chime in here... But if you're an all out Cisco shop, as in all your network devices are Cisco, it might be something to look into, though I'd look at the pro and cons before jumping on it.
Craig BeckCommented:
IBNS is a bit much here I think.  To fully achieve IBNS2.0 you'd need to use Cisco ISE anyway as it supports things like CoA and C3PL.  There's a great white-paper about this, but as I say, I think it's a bit much here...

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-729965.html

I think the way to go here would be to use computer authentication, as you're mentioning MAC authentication.  That tells me you're not considering authenticating the user account, but rather the device.  You'd need a PKI for this.

As spravtek said, you should use 2 CAs; an offline root and an online subordinate.  This maximizes security as it stops anyone from compromising the root of your PKI chain.  The subordinate can issue device certificates and publish the CRL (certificate revocation list) so you can verify certificates without any issues.  However, I'd probably not go to the trouble of installing a subordinate in your case unless you absolutely rely on certificates for things like encryption.  You can just leave the root CA turned on.  Many people do this, especially if they're running SBS, for example.

Once you install a CA on your domain you can just install NPS and restart that server.  It will automatically obtain a certificate from the CA.  After that, configure an autoenrolment GPO and link it to the OU where your PCs are located.  You can use the default 'Computer' certificate template for this.  It's really easy if you follow the steps in the link below...

https://technet.microsoft.com/en-gb/library/cc731522.aspx

After that, get the switch(es) configured to talk to NPS...

aaa new-model
!
!
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server NPS
 address ipv4 192.168.0.1 auth-port 1812 acct-port 1813
 key <SHARED_SECRET>
!
aaa group server radius NPS
 server name NPS
!
aaa authentication dot1x default group NPS
aaa accounting dot1x default start-stop group NPS
!
aaa session-id common
!
interface GigabitEthernet1/0/1
 description 802.1x Port
 switchport mode access
 switchport nonegotiate
 authentication port-control auto
 dot1x pae authenticator
 spanning-tree portfast

Open in new window


Replace <SHARED_SECRET> with the key you set in NPS when you configure the RADIUS client.  Replace 192.168.0.1 with the IP of the NPS server.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.