Michael C
asked on
Deny network connection on H3C switch by MAC address
We have H3C layer 3 switch. I find sometimes staff will bring their laptop / mobile to connect our network through our DHCP on server 2008.
We know their MAC address. Is it possible to deny any network on a particular MAC address on H3C switch?
We know their MAC address. Is it possible to deny any network on a particular MAC address on H3C switch?
you can get software which will disconnect the port if a machine not in the domain connects to it. I can't remember what it's called though, I know Cisco do one.
ASKER
But will it block other switch, router as well ?
No it doesn't block network devices, you can basically configure it so if a client machine plugs into the network, if it doesn't have a computer account in the domain, it will disable the port until a machine which can authenticate connects to it.
Alex is referring to 802.1x . It is essentially authentication for any host that connects to the network wirelessly or wired. Cisco's version of it is called Cisco ISE.
With 802.1x the device will either have to have a 802.1x supplicant and be able to authenticate to a RADIUS server or be authenticated by MAC Address Bypass. In Cisco's case is a database of allowed mac addresses on the network that can authenticate by using an 802.1x supplicant i.e. printers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check out https://packetfence.org/
They offer and open source NAC (Network Access Control) server that can get you started down that path to use 802.1x or mac based access control. There are other open source offerings too out there.
They offer and open source NAC (Network Access Control) server that can get you started down that path to use 802.1x or mac based access control. There are other open source offerings too out there.
We are using Network Policy Server for radius. It comes with windows server and it works great
ASKER
It seems great, and thanks all, esp Soujia ...
ASKER
l am also finding such solution... learnt from a famous engineer. he said radius will cause some problem such as delay on authenication, and will have many troubleshooting... he recommends to defined the mac on a port if most workstation is static, not mobile
You could go that route, but it's pretty simple to spoof a mac address and get around that. At least with 802.1X it can check if the computer is in AD or look for a certificate installed on the computer.
ASKER
yes u are right, so it needs balance the security and the resource