Wired Ethernet
I highly recommend you have a read of Layer 2 Security by Eric Vyncke. To have an auditable network you need to be sure that the MAC address at a particular port is not unaccounted for, there is some username or host authentication that has taken place for that MAC. Once you have your your Layer 2 secured you can get Layer 3 protection for free effectively and force DHCP at the edge and know that no one is spoofing their IP. After reading this I hope you will agree there is no reason why this cannot be turned on, especially so as it is even available on an old battered 2960.
Until relative recent versions of IOS though some of these features clashed and so you must run at least IOS version 12.2(40) otherwise you will not be able to run 802.1X alongside your Layer 2 security infrastructure. Remember 802.1X associates some kind of authentication to the host, it does not prevent much in the way of further abuses.
To enable MAC based authentication you will need the following in your FreeRADIUS 'hints' file:
# deal with dot1x-esque MAC authentication
DEFAULT Cisco-NAS-Port =* ANY, NAS-Port-Type == Ethernet, Service-Type == Call-Check, User-Name =~ "^[0-9a-f]{12}$"
User-Name := "%{User-Name}@REALM",
NAS-Port-Id = "%{Cisco-NAS-Port}"
# If the vendor specific Cisco-NAS-Port is set then copy the value of the
# attribute into NAS-Port-Id to make things more RFCish
DEFAULT Cisco-NAS-Port =* ANY
NAS-Port-Id = "%{Cisco-NAS-Port}"
In the above snippet you need to replace 'REALM' with your local realm, such as 'example.ac.uk'.
A useful explanation to what is happening on the Cisco kit in regards to it's 802.1X state machine is available on Cisco's website.
3750 (should work on the 29[67]0 and 3550 too) [ IOS 12.2(40)+ ]
[snipped] aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius aaa session-id common dot1x system-auth-control errdisable recovery interval 300 errdisable recovery cause arp-inspection errdisable recovery cause security-violation errdisable recovery cause dhcp-rate-limit errdisable recovery cause psecure-violation errdisable recovery cause bpduguard ip dhcp snooping database flash:dhcp-snoop.db ip dhcp snooping vlan <VLANS-TO-SNOOP> ip dhcp snooping no ip dhcp snooping information option ip dhcp snooping verify mac-address ip arp inspection vlan <VLANS-TO-SNOOP> ip arp inspection log-buffer entries 1024 ip arp inspection log-buffer logs 1024 interval 10 ip arp inspection validate src-mac ip ip arp inspection validate dst-mac src-mac ip [snipped] ! your edge ports interface range FastEthernet1/0/1 - 48 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security violation restrict ! if you do not set this to 1440 you get a complete 802.1X reauth every five minutes switchport port-security aging time 1440 switchport port-security aging type inactivity no ip arp inspection trust ip arp inspection limit rate 15 no ip dhcp snooping trust ip dhcp snooping limit rate 10 ip verify source ip verify source port-security dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto ! uncomment the following two if you want WoL !switchport access vlan <unauthorised VLAN ID> !dot1x control-direction in dot1x timeout quiet-period 3 dot1x timeout server-timeout 10 dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 5 dot1x reauthentication no cdp enable spanning-tree portfast spanning-tree bpduguard enable ! your trunk links int range Po1 - 2 ip dhcp snooping trust ip arp inspection trust [snipped] radius-server host <DETAILS> radius-server source-ports 1645-1646 radius-server unique-ident 4 radius-server vsa send accounting radius-server vsa send authentication
