HPE Community
Switches, Hubs, and Modems
1752439 Members
5808 Online
108788 Solutions
New Discussion юеВ

Re: Port Security Exclusions?

 
Jason Scott
Regular Advisor

тАО09-16-2008 05:49 AM

тАО09-16-2008 05:49 AM

Port Security Exclusions?

I'm looking into and testing 802.1x security on the LAN in conjunction with IDM. I want to authorise all domain computers and domain users and have this working.

Next I want to exclude Mitel IP phones from authentication - or grant any devices beginning with 08-00-0f (mitel vendor code) access to our voice vlan. I also need to be able to add exclusions for any devices which don't support 802.1x but that we are aware of. Is this possible? I presume this would be configured on the switch or radius server and not touch any part of IDM?

Thanks,
0 Kudos
5 REPLIES 5
Matt Hobbs
Honored Contributor

тАО09-17-2008 12:46 AM

тАО09-17-2008 12:46 AM

Re: Port Security Exclusions?

Can't you configure the Mitel phones to also use 802.1X? That would be nicest solution.

For other devices that don't support 802.1X, you can use the unauth-vid feature which will put those users into a different (more restricted?) VLAN.

You could also use mac-auth and web-auth for those devices.
0 Kudos
eng.Zohair
Esteemed Contributor

тАО09-17-2008 01:48 AM

тАО09-17-2008 01:48 AM

Re: Port Security Exclusions?

Hello Jason,

This link may help you

http://www.procurve.com/NR/rdonlyres/06538B80-6DB0-4AC6-893E-8E8E12A180C6/0/ConfiguringFreeRADIUSwithIDMbyExample_Dec_07_WW_Eng_Ltr.pdf


Regards,
Points are welcomed
Jan
0 Kudos
Jason Scott
Regular Advisor

тАО09-17-2008 11:33 PM

тАО09-17-2008 11:33 PM

Re: Port Security Exclusions?

Matt - we have over 2000 phones deployed and reconfiguring them manually isn't an option. I haven't looked to see if they can be done centrally yet. Although in testing my own phone detected 802.1x but asked for a username and password. We cannot ask our users to log in to the phone. They have enough trouble with standard PCs as it is :)

Jan - thanks. That looks like a good document and covers the configuration of radius that is missing from the IDM manual.
0 Kudos
Matt Hobbs
Honored Contributor

тАО09-18-2008 12:26 AM

тАО09-18-2008 12:26 AM

Re: Port Security Exclusions?

Let us know if you do find out that you can centrally set the handsets for 802.1X somehow. I'd like to know what the best practice is too, i.e. configure all phones with the same 802.1X credentials?
0 Kudos
Jason Scott
Regular Advisor

тАО09-18-2008 06:39 AM

тАО09-18-2008 06:39 AM

Re: Port Security Exclusions?

I've received some information from Mitel, however it appears you need to configure a username and password on each phone.

This means our only option is some sort of exclusion or mac based authentication. When I initially started looking at IDM I was under the impression that it might play a more active role in authenticating users and devices. I was hoping we could setup lists of devices, or mac vendor wildcards which would be placed into certain vlans. For example, all our digital xray viewers would be placed into our PACS vlan. All our heart rate monitors would be placed into their vlan. Because we use multiple vlans for different classes of non-windows devices we're unable to make use of the unauth vlan.

I thought about perhaps just deploying 802.1x to switches and ports where we know standard windows workstations are connected, but this somewhat defeats the objective we are trying to achieve, which was to lock down the network as much as possible but maintain easy management and not increase support overheads.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.