MAC address authentication on HP and 3Com switches

We have 3x HP ProCurve switches and 1x HP branded 3Com ProCurve switch. We need to lock down the network so that only approved devices can connect. HP's and 3Com's support has given two options for this: RAIDUS or manual port configuration of each port

RADIUS apparently won't work since we have clients ranging from DOS or NT all the way up through Win 7... plus there are some thin clients spanning across two brands, about 5-6 models, with all sorts of OSes.

The manual configuration of each port for each MAC address is a bit time-instensive and cumbersome.

Does anyone know of a software tool to manage HP and 3Com switches that can do a general MAC address approval pool so it won't matter which ports the device plug into or move to as employees move from one office to another over time? We have several comliancy requirements so auditing would be a plus too. (SOX, PCI, SEC, and ITAR) The company is only about 100 employees across two locations so the budget for this won't be on... oh let's say... a hospital's. But, a few $1,000's may be a good fit here.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can do Radius by MAC address.  All you would need is a list of MACs off your network which can be easily gotten from your Procurve switch with a show command and then enter those in the Radius.  We use Steel Belted Radius.  You can set up your XP users and Win7 users to just use AD via the Radius and the rest use MAC.  So as you add new machines and they are Win7/XP you don't have to worry about those.  Just your legacy machines.
We do the same thing on ours.
HP's IMC tool can also help with the authentication module (UAM), for both user or MAC authentication.

Not sure how much it costs but you can download a trial on their website.
iVenture_SolutionsAuthor Commented:
Atrevido: Are you saying that you can do MAC authentication with old PCs (before Win XP) with the builtin RADIUS server or that a 3rd party one like Steel Belted is required?

RKisnp: Thanks. We'll check it out.
AD machines can be authenticated via Steel Belted Radius, you set up the switch to check with the radius server.  Machines that are old or other equipment can be forced via mac address on the SBR as well.  So yes, you need an external radius server.

Attached please find document screenshot showing you how to set up a profile for those MAC addresses that need to be pushed to another VLAN

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.