Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1751
  • Last Modified:

MAC address authentication on HP and 3Com switches

We have 3x HP ProCurve switches and 1x HP branded 3Com ProCurve switch. We need to lock down the network so that only approved devices can connect. HP's and 3Com's support has given two options for this: RAIDUS or manual port configuration of each port

RADIUS apparently won't work since we have clients ranging from DOS or NT all the way up through Win 7... plus there are some thin clients spanning across two brands, about 5-6 models, with all sorts of OSes.

The manual configuration of each port for each MAC address is a bit time-instensive and cumbersome.

Does anyone know of a software tool to manage HP and 3Com switches that can do a general MAC address approval pool so it won't matter which ports the device plug into or move to as employees move from one office to another over time? We have several comliancy requirements so auditing would be a plus too. (SOX, PCI, SEC, and ITAR) The company is only about 100 employees across two locations so the budget for this won't be on... oh let's say... a hospital's. But, a few $1,000's may be a good fit here.
  • 2
2 Solutions
You can do Radius by MAC address.  All you would need is a list of MACs off your network which can be easily gotten from your Procurve switch with a show command and then enter those in the Radius.  We use Steel Belted Radius.  You can set up your XP users and Win7 users to just use AD via the Radius and the rest use MAC.  So as you add new machines and they are Win7/XP you don't have to worry about those.  Just your legacy machines.
We do the same thing on ours.
HP's IMC tool can also help with the authentication module (UAM), for both user or MAC authentication.

Not sure how much it costs but you can download a trial on their website.
iVenture_SolutionsAuthor Commented:
Atrevido: Are you saying that you can do MAC authentication with old PCs (before Win XP) with the builtin RADIUS server or that a 3rd party one like Steel Belted is required?

RKisnp: Thanks. We'll check it out.
AD machines can be authenticated via Steel Belted Radius, you set up the switch to check with the radius server.  Machines that are old or other equipment can be forced via mac address on the SBR as well.  So yes, you need an external radius server.

Attached please find document screenshot showing you how to set up a profile for those MAC addresses that need to be pushed to another VLAN

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now