5

The title is not a mistake, I really am talking about wired, not wireless.

Essentially, I was wondering if it was possible to password-protect a LAN wired network to enhance security and only allow computers knowing the password to join.

I thought about using MAC address filtering, but that is way too trivial to circumvent.

Any ideas?

Thanks!

kmagic
  • 51
  • 1
  • 2
  • 1
    There's some quite effective methods of Layer 2 security a lot more powerful that MAC address filtering, but they're generally quite expensive to implement. – Mark Henderson Mar 15 '11 at 23:45

2 Answers2

15

802.1x authentication will do what you're looking for. Your switches will need to support it and you'll need a RADIUS server (which isn't a big deal because there are Free and no-cost options for most mainstream operating systems). Depending on how you actually do the authentication (certificates deployed on client computers, username / password on the clients) you may have addt'l steps necessary (like deploying a PKI) to get 802.1x up and going.

If you're using a Microsoft server platform you can get some background from them here: http://technet.microsoft.com/en-us/library/cc753354(WS.10).aspx

Some Linux server background (as well as just good background about 802.1x) is available here: http://www.linux.org/docs/ldp/howto/8021X-HOWTO/index.html

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • 1
    a I fully agree this is most secure, but in terms of ease a captive portal is much better. – Jacob Mar 16 '11 at 01:58
  • 1
    802.1x isn't *that* difficult to get going w/ modern OS's and switches. My advice to the OP would be to take a little extra time and put together a solution that has some reasonable security behind it and that works well in his environment. – Evan Anderson Mar 16 '11 at 02:34
  • @even I fully agree 802.1x is great, but in certain cases captive portals might be better... – Jacob Mar 16 '11 at 02:44
  • @jacob I disagree with the captive portal idea. With .1x one could use the switch extended capabilities like: make vlan assingments. This is a better security tool. – cstamas Mar 16 '11 at 07:42
1

What you are looking for is called a captive portal. You would have to look around to find one that works with the switches you use though. Basically, all unauthenticated ports should be on their own isolated vlan. Once someone authenticates on a port, it would be moved over to the normal vlan, and the traffic would work normally.

devicenull
  • 5,572
  • 1
  • 25
  • 31