Authentican based on Vlan and Radius Server

[Andi11x]

Hello

I am looking for a function to only allow authentication request only from a specific VLAN.

For example some want to login via telnet from Vlan 220 to the OS6850, he will not get a login window.
If someone trys to logon from Vlan 40 and vlan 35 he will get the the Login window and can authenticate over the Radius Server.

Is this possible?


To our config, we are using a radius based authentication. Software Version on the switches 6.4.3.810

[silvio]

Hi,
if I understand you correctly you don't speak about user authentication (to access the network) - you are looking for a solution for switch management access. correctly?
If yes there shouldn't be any possibility to have management access without login.
regards
Silvio

[Andi11x]

Yes, it should only be possible to reach the login over a configured Vlan.
So that you must have following situation to login on a switch:

Vlan 35,40
Login (Radius User )

[silvio]

with policies it should be possible - here a little axample (not tested):
policy condition MGM-ALLOW-35 source vlan 35
policy condition MGM-ALLOW-40 source vlan 40
policy condition MGM-DENY destination network group switch
policy action ALLOW disposition permit
policy action DENY disposition drop
policy rule MGM-ALLOW-35 condition MGM-ALLOW-35 action ALLOW precedence 100
policy rule MGM-ALLOW-40 condition MGM-ALLOW-40 action ALLOW precedence 90
policy rule MGM-DENY condition MGM-DENY action DENY precedence 10
qos apply

With this policies you deny all traffic to the switch from other vlan than 35+40.
you can add to your condition also the allowed port for telnet, ssh, https....
hope you will find your solution now
regards
Silvio