Will RADIUS work on unexpected port access?

[JBruyet]

Hey all, I'm setting up security on my ProCurve 2524 switches to secure them against someone hooking up a laptop and going for a drive (there's an unsecured but necessary IDF room in the mix). I was planning on using Windows Server 2003 and IAS but I'm now thinking this will only work for someone actually logging into the switch. Is there a way to secure ports so someone can't just plug in and go? I was trying to do the Port Security on the Security tab but I'm not up for entering MAC addresses for every device on the network. Anyone have any ideas?

Thanks,

Joe B

 

[unclerico]

You enable dot1x on the switch (Authenticator), you configure your trusted devices to use 802.1x (Supplicant), and finally create access policies on your IAS box (authentication database). If you have dot1x enabled the only frames that will pass on the port are EAPoL frames. If the device and user are authenticated the port will be put into forwarding state. If the device/user is not trusted then authentication will fail and you can either have the port shutdown or use RADIUS attributes to return dynamic VLAN configuration and permit guest access if you want.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[JBruyet]

Thanks, unclerico, for letting me know that it is possible. I do have one question though--by "trusted devices" are you referring to all of the computers/servers on the network? All of those devices are going to need access through this "corridor" I'm working on.

Thanks,

Joe B

 

[unclerico]

You can enable dot1x authentication on a port by port basis. I am referring to any computer that you deem trusted so if it is all computers on your network, then, yes.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[JBruyet]

Got it. I'll give it a shot.

Thanks,

Joe B