https://community.hpe.com/t5/security-e-series/switch-security-enforcement-authenticator-in-local-mode/m-p/6059173#M212 <P>Hello,</P><P>&nbsp;</P><P>I'm trying to find a good way to enforce my network security.</P><P>&nbsp;</P><P>Our network is a grid of about 15 switches, with spanning tree active.</P><P>So we have always a minimum of two paths to communicate from one switch to another.</P><P>We use 5 vlans, deployed on all the switches.</P><P>The links between the switches are fiber or ethernet gigabit.</P><P><BR />We have a dedicated Management vlan.</P><P>We have a radius server for authentication on the switches</P><P>&nbsp;</P><P>But I can't be sure that nobody will gain physical access to my switch, or won't connect his own computer on one of my network plugs somewhere in the plant.</P><P>&nbsp;</P><P>So we have already disabled the clear and reset buttons on the switches.</P><P>And we are going to use port-access + radius + 802.1x to control every port connected to a public plug.</P><P>&nbsp;</P><P>But I would like to securize the links between the switches :</P><P>&nbsp;</P><P>If someone gain physical access to the switch, disconnect an inter-switch link and connect a computer on the port</P><P>he may be able to see all my vlans, and because of spanning tree, he get a full access on my network.</P><P>&nbsp;</P><P>So I tried the 802.1x authentication on those inter-switches ports.</P><P>&nbsp;</P><P>It works, but only with a radius server. So it works only in one direction.</P><P>If you connect a computer on the supplicant port, you get access to the switch.</P><P><BR />and because the supplicant does not have an access to the radius, I can't make it acting as authenticator.</P><P>&nbsp;</P><P>So the good way to do this is to use the local authentication for 802.1x : you don't need any connection to any device prior to establish the connection to the network.</P><P>&nbsp;</P><P>But with none of my switches (2510, 2610, 2910 or 2530) I was able to use local authentication. I've tried with my Manager and Operator credentials, changing or not the usernames, I always get a never ending authentication.</P><P>&nbsp;</P><P>As some forums mention it the</P><P><STRONG>password port-access</STRONG> command is not available in the switches,</P><P>&nbsp;</P><P>So it is impossible to configure correctly the authenticator in local mode.</P><P>&nbsp;</P><P>So IMHO there is no way to get a strict control over the inter-switches ports if someone get a physical access to a switch.</P><P>I can't use protected ports in inter-switches links because they are limited to 8 mac-addresses learned.</P><P>&nbsp;</P><P>Definitely, I think that 802.1x + local authentication is the only way.</P><P>&nbsp;</P><P>Does someone have an idea on howto do this ?</P><P>&nbsp;</P><P>Damien</P> Wed, 08 May 2013 16:05:07 GMT Damduq 2013-05-08T16:05:07Z https://community.hpe.com/t5/security-e-series/switch-security-enforcement-authenticator-in-local-mode/m-p/6059173#M212 <P>Hello,</P><P>&nbsp;</P><P>I'm trying to find a good way to enforce my network security.</P><P>&nbsp;</P><P>Our network is a grid of about 15 switches, with spanning tree active.</P><P>So we have always a minimum of two paths to communicate from one switch to another.</P><P>We use 5 vlans, deployed on all the switches.</P><P>The links between the switches are fiber or ethernet gigabit.</P><P><BR />We have a dedicated Management vlan.</P><P>We have a radius server for authentication on the switches</P><P>&nbsp;</P><P>But I can't be sure that nobody will gain physical access to my switch, or won't connect his own computer on one of my network plugs somewhere in the plant.</P><P>&nbsp;</P><P>So we have already disabled the clear and reset buttons on the switches.</P><P>And we are going to use port-access + radius + 802.1x to control every port connected to a public plug.</P><P>&nbsp;</P><P>But I would like to securize the links between the switches :</P><P>&nbsp;</P><P>If someone gain physical access to the switch, disconnect an inter-switch link and connect a computer on the port</P><P>he may be able to see all my vlans, and because of spanning tree, he get a full access on my network.</P><P>&nbsp;</P><P>So I tried the 802.1x authentication on those inter-switches ports.</P><P>&nbsp;</P><P>It works, but only with a radius server. So it works only in one direction.</P><P>If you connect a computer on the supplicant port, you get access to the switch.</P><P><BR />and because the supplicant does not have an access to the radius, I can't make it acting as authenticator.</P><P>&nbsp;</P><P>So the good way to do this is to use the local authentication for 802.1x : you don't need any connection to any device prior to establish the connection to the network.</P><P>&nbsp;</P><P>But with none of my switches (2510, 2610, 2910 or 2530) I was able to use local authentication. I've tried with my Manager and Operator credentials, changing or not the usernames, I always get a never ending authentication.</P><P>&nbsp;</P><P>As some forums mention it the</P><P><STRONG>password port-access</STRONG> command is not available in the switches,</P><P>&nbsp;</P><P>So it is impossible to configure correctly the authenticator in local mode.</P><P>&nbsp;</P><P>So IMHO there is no way to get a strict control over the inter-switches ports if someone get a physical access to a switch.</P><P>I can't use protected ports in inter-switches links because they are limited to 8 mac-addresses learned.</P><P>&nbsp;</P><P>Definitely, I think that 802.1x + local authentication is the only way.</P><P>&nbsp;</P><P>Does someone have an idea on howto do this ?</P><P>&nbsp;</P><P>Damien</P> Wed, 08 May 2013 16:05:07 GMT https://community.hpe.com/t5/security-e-series/switch-security-enforcement-authenticator-in-local-mode/m-p/6059173#M212 Damduq 2013-05-08T16:05:07Z