- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Port Security vs Radius Authentication
Switches, Hubs, and Modems
1753401
Members
7412
Online
108792
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-20-2008 12:29 PM
тАО05-20-2008 12:29 PM
Port Security vs Radius Authentication
Our network supports a three floor health care facility for university students. We want to lock down Ethernet ports so that students or other outside entities can not plug in their laptops and get network access. I have created a list of all of our known, authorized MAC addresses. We are trying to decide if we should use mac-based port authentication against a radius server or use the port security feature. Our network consists of 14 Procurve 2650 switches (with 4 or 5 per floor) all connected to a Procurve 5406 in a star topology. The 5406 is located in our server room and also connects all of our servers. We are uncertain about radius due to the fact that if the radius server fails or both the primary & secondary servers fail, or if the primary fails, but the secondary radius server does not get queried then all of our users will be locked out until the primary radius server is back online. Port security does not seem to have this disadvantage.
I was hoping that a few of you network experts could discuss the pros and cons of each solution.
Thanks,
-John
I was hoping that a few of you network experts could discuss the pros and cons of each solution.
Thanks,
-John
4 REPLIES 4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-20-2008 12:53 PM
тАО05-20-2008 12:53 PM
Re: Port Security vs Radius Authentication
Also, what happens to the Port Security settings if the 2650 loses power?
Thanks,
-John
Thanks,
-John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-20-2008 11:09 PM
тАО05-20-2008 11:09 PM
Re: Port Security vs Radius Authentication
hi john
you make create port security enable on your 2650 switch related ports.
(config)#port-security[port-list]learn-mode [static-continius] address-limit[1-32]action[send-disable/send-alarm]
port-security :main command
port-list ethernet ports on run port security
learn-mode :learning mode switch each device learning mac address auto. and after write on port.
static mode:switch power loss or restart port security mac information not loss on switch
continius:switch power loss or resatart port security mac information loss on switch
address limit :one port assign maxima 32 mac address
action :send disable :occur port-securiy intrusion on port ,port is disable
send alarm:port-security intrusion on port
send alarm procurve manager and switch security intrution logging and port closed ,snmp,icm etc. portocol trafic.
cenk
you make create port security enable on your 2650 switch related ports.
(config)#port-security[port-list]learn-mode [static-continius] address-limit[1-32]action[send-disable/send-alarm]
port-security :main command
port-list ethernet ports on run port security
learn-mode :learning mode switch each device learning mac address auto. and after write on port.
static mode:switch power loss or restart port security mac information not loss on switch
continius:switch power loss or resatart port security mac information loss on switch
address limit :one port assign maxima 32 mac address
action :send disable :occur port-securiy intrusion on port ,port is disable
send alarm:port-security intrusion on port
send alarm procurve manager and switch security intrution logging and port closed ,snmp,icm etc. portocol trafic.
cenk
cenk
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-21-2008 12:07 AM
тАО05-21-2008 12:07 AM
Re: Port Security vs Radius Authentication
Limit each port to accept the first 802.1X-aware device and define an action for the switch when it recognizes additional devices(config)# port-security learn-mode port-access action ├в The default learn mode action none enables additional devices to connect through an authorized port├в The send-alarm learn mode action generates a syslog message if additional users attempt access ├в The send-disable learn mode action places the port in unauthorized state if additional users attempt access├в Ports must be set at autocontrol mode
Setting learn-mode to port-access causes the port to accept the MAC address of the first 802.1X supplicant but reject any additional MAC addresses. You can configure port-security to disable any MAC address after the first one learned through that port and send an alarm to the log indicating a security violation. If you choose to disable the port, all stations attached to that port will be unable to access the network, and the port will need to be manually enabled after the security violation has been cleared.
cenk
Setting learn-mode to port-access causes the port to accept the MAC address of the first 802.1X supplicant but reject any additional MAC addresses. You can configure port-security to disable any MAC address after the first one learned through that port and send an alarm to the log indicating a security violation. If you choose to disable the port, all stations attached to that port will be unable to access the network, and the port will need to be manually enabled after the security violation has been cleared.
cenk
cenk
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-21-2008 01:17 AM
тАО05-21-2008 01:17 AM
Re: Port Security vs Radius Authentication
With that many switches I would definitely go with the centralised RADIUS server method. It's too time consuming to keep adding/removing mac-addresses on each switch, plus you may have more mac-addresses than each switch can keep in it's configuration.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP