- Community Home
- >
- Networking
- >
- Security e-Series
- >
- Switch security enforcement - authenticator in loc...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2013 09:05 AM
05-08-2013 09:05 AM
Switch security enforcement - authenticator in local mode
Hello,
I'm trying to find a good way to enforce my network security.
Our network is a grid of about 15 switches, with spanning tree active.
So we have always a minimum of two paths to communicate from one switch to another.
We use 5 vlans, deployed on all the switches.
The links between the switches are fiber or ethernet gigabit.
We have a dedicated Management vlan.
We have a radius server for authentication on the switches
But I can't be sure that nobody will gain physical access to my switch, or won't connect his own computer on one of my network plugs somewhere in the plant.
So we have already disabled the clear and reset buttons on the switches.
And we are going to use port-access + radius + 802.1x to control every port connected to a public plug.
But I would like to securize the links between the switches :
If someone gain physical access to the switch, disconnect an inter-switch link and connect a computer on the port
he may be able to see all my vlans, and because of spanning tree, he get a full access on my network.
So I tried the 802.1x authentication on those inter-switches ports.
It works, but only with a radius server. So it works only in one direction.
If you connect a computer on the supplicant port, you get access to the switch.
and because the supplicant does not have an access to the radius, I can't make it acting as authenticator.
So the good way to do this is to use the local authentication for 802.1x : you don't need any connection to any device prior to establish the connection to the network.
But with none of my switches (2510, 2610, 2910 or 2530) I was able to use local authentication. I've tried with my Manager and Operator credentials, changing or not the usernames, I always get a never ending authentication.
As some forums mention it the
password port-access command is not available in the switches,
So it is impossible to configure correctly the authenticator in local mode.
So IMHO there is no way to get a strict control over the inter-switches ports if someone get a physical access to a switch.
I can't use protected ports in inter-switches links because they are limited to 8 mac-addresses learned.
Definitely, I think that 802.1x + local authentication is the only way.
Does someone have an idea on howto do this ?
Damien