Deny network connection on H3C switch by MAC address

you can get software which will disconnect the port if a machine not in the domain connects to it. I can't remember what it's called though, I know Cisco do one.

But will it block other switch, router as well ?

No it doesn't block network devices, you can basically configure it so if a client machine plugs into the network, if it doesn't have a computer account in the domain, it will disable the port until a machine which can authenticate connects to it.

Alex is referring to 802.1x . It is essentially authentication for any host that connects to the network wirelessly or wired. Cisco's version of it is called Cisco ISE.

With 802.1x the device will either have to have a 802.1x supplicant and be able to authenticate to a RADIUS server or be authenticated by MAC Address Bypass. In Cisco's case is a database of allowed mac addresses on the network that can authenticate by using an 802.1x supplicant i.e. printers.

Check out https://packetfence.org/

They offer and open source NAC (Network Access Control) server that can get you started down that path to use 802.1x or mac based access control. There are other open source offerings too out there.

We are using Network Policy Server for radius. It comes with windows server and it works great

It seems great, and thanks all, esp Soujia ...

l am also finding such solution... learnt from a famous engineer. he said radius will cause some problem such as delay on authenication, and will have many troubleshooting... he recommends to defined the mac on a port if most workstation is static, not mobile

You could go that route, but it's pretty simple to spoof a mac address and get around that. At least with 802.1X it can check if the computer is in AD or look for a certificate installed on the computer.

yes u are right, so it needs balance the security and the resource