MAC address authentication on HP and 3Com switches

Posted on 2012-09-19
Last Modified: 2013-12-06
We have 3x HP ProCurve switches and 1x HP branded 3Com ProCurve switch. We need to lock down the network so that only approved devices can connect. HP's and 3Com's support has given two options for this: RAIDUS or manual port configuration of each port

RADIUS apparently won't work since we have clients ranging from DOS or NT all the way up through Win 7... plus there are some thin clients spanning across two brands, about 5-6 models, with all sorts of OSes.

The manual configuration of each port for each MAC address is a bit time-instensive and cumbersome.

Does anyone know of a software tool to manage HP and 3Com switches that can do a general MAC address approval pool so it won't matter which ports the device plug into or move to as employees move from one office to another over time? We have several comliancy requirements so auditing would be a plus too. (SOX, PCI, SEC, and ITAR) The company is only about 100 employees across two locations so the budget for this won't be on... oh let's say... a hospital's. But, a few $1,000's may be a good fit here.
Question by:iVenture_Solutions
    LVL 12

    Expert Comment

    You can do Radius by MAC address.  All you would need is a list of MACs off your network which can be easily gotten from your Procurve switch with a show command and then enter those in the Radius.  We use Steel Belted Radius.  You can set up your XP users and Win7 users to just use AD via the Radius and the rest use MAC.  So as you add new machines and they are Win7/XP you don't have to worry about those.  Just your legacy machines.
    We do the same thing on ours.
    LVL 6

    Assisted Solution

    HP's IMC tool can also help with the authentication module (UAM), for both user or MAC authentication.

    Not sure how much it costs but you can download a trial on their website.

    Author Comment

    Atrevido: Are you saying that you can do MAC authentication with old PCs (before Win XP) with the builtin RADIUS server or that a 3rd party one like Steel Belted is required?

    RKisnp: Thanks. We'll check it out.
    LVL 12

    Accepted Solution

    AD machines can be authenticated via Steel Belted Radius, you set up the switch to check with the radius server.  Machines that are old or other equipment can be forced via mac address on the SBR as well.  So yes, you need an external radius server.

    Attached please find document screenshot showing you how to set up a profile for those MAC addresses that need to be pushed to another VLAN

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
    Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now