Deny network connection on H3C switch by MAC address

We have H3C layer 3 switch. I find sometimes staff will bring their laptop / mobile to connect our network through our DHCP on server 2008.

We know their MAC address. Is it possible to deny any network on a particular MAC address on H3C switch?
Michael CITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AlexSenior Infrastructure AnalystCommented:
you can get software which will disconnect the port if a machine not in the domain connects to it. I can't remember what it's called though, I know Cisco do one.
Michael CITAuthor Commented:
But will it block other switch, router as well ?
AlexSenior Infrastructure AnalystCommented:
No it doesn't block network devices, you can basically configure it so if a client machine plugs into the network, if it doesn't have a computer account in the domain, it will disable the port until a machine which can authenticate connects to it.
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Alex is referring to 802.1x . It is essentially authentication for any host that connects to the network wirelessly or wired. Cisco's version of it is called Cisco ISE.
With 802.1x the device will either have to have a 802.1x supplicant and be able to authenticate to a RADIUS server or be authenticated by MAC Address Bypass. In Cisco's case is a database of allowed mac addresses on the network that can authenticate by using an 802.1x supplicant i.e. printers.
802.1x is an open standard protocol so your HC3 switch should support it. You will need a RADIUS server to incorporate in the mix in order for it  two work. Implementing 802.1x is a true task. There are hundreds of use cases that need to be addressed before deploying it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Check out

They offer and open source NAC (Network Access Control) server that can get you started down that path to use 802.1x or mac based access control. There are other open source offerings too out there.
Andy BartkiewiczNetwork AnalystCommented:
We are using Network Policy Server for radius. It comes with windows server and it works great
Michael CITAuthor Commented:
It seems great, and thanks all, esp Soujia ...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.