[c-nsp] Ethernet Authentication

David West david.h.west at gmail.com
Sat Jul 1 09:34:12 EDT 2006 

PPPoE is definitely the way to go here, however IOS does have the ability to
do authentication proxy. With auth-proxy you can define an ACL to trigger
the authentication (permit tcp any any eq http for example), so when the
user hits a web site, the router pops up a username/password prompt. This
can be authenticated against RADIUS, then the router will open holes through
the ACLs to let the user through. It is subject to IP spoofing and for a
large number of users probably not so good on CPU, but it would acheive what
you're asking for, as you will be able to log into the router and use a show
command (I forget which exactly) to see authenticated users and the IP they
are using.

-DW

On 6/30/06, Paul Stewart <pstewart at nexicomgroup.net> wrote:
>
> The subject may not be the right description but I'm trying to find a
> way to authenticate a bunch of fixed-wireless customers currently...
>
> Here's my scenario:
>
> Remote POP with Cisco 2621 and Cisco 2924 or 2950 switch.  At the remote
> POP, Motorola Canopy or Trango fixed wireless customers are connected
> into the switch.  The Cisco 2621 provides DHCP to anyone connected as
> the Motorola and Trango both do their own proprietary radio
> authentication.
>
> The problem is that once the radio authenticates, then the end user
> computer gets an IP from the 2621 and they surf.  This is great until
> you want to know who is on which IP address etc.  Obviously moving the
> customers to PPPOE would work well, but that's a major change especially
> on one site where we might have to change 150-180 users at once (our
> helpdesk would shoot me lol)
>
> Ideally, what I'd like to know if it's possible is some kind of
> authentication via a web browser linked to our existing Radius.  Is
> there a way to do this in IOS and/or 3rd party?  I was thinking of 802.x
> but all these customers connect across the same ethernet port in most
> locations (or a few ports)...
>
> Thanks again to the list for your help...appreciate it...
>
> Paul Stewart
> Network Administrator
> Nexicom Inc.
> http://www.nexicom.net/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Progress isn't made by early risers. It's made by lazy men trying to find
easier ways to do something.
  - Robert Heinlein

More information about the cisco-nsp mailing list