05-08-2013 09:05 AM
I'm trying to find a good way to enforce my network security.
Our network is a grid of about 15 switches, with spanning tree active.
So we have always a minimum of two paths to communicate from one switch to another.
We use 5 vlans, deployed on all the switches.
The links between the switches are fiber or ethernet gigabit.
We have a dedicated Management vlan.
We have a radius server for authentication on the switches
But I can't be sure that nobody will gain physical access to my switch, or won't connect his own computer on one of my network plugs somewhere in the plant.
So we have already disabled the clear and reset buttons on the switches.
And we are going to use port-access + radius + 802.1x to control every port connected to a public plug.
But I would like to securize the links between the switches :
If someone gain physical access to the switch, disconnect an inter-switch link and connect a computer on the port
he may be able to see all my vlans, and because of spanning tree, he get a full access on my network.
So I tried the 802.1x authentication on those inter-switches ports.
It works, but only with a radius server. So it works only in one direction.
If you connect a computer on the supplicant port, you get access to the switch.
and because the supplicant does not have an access to the radius, I can't make it acting as authenticator.
So the good way to do this is to use the local authentication for 802.1x : you don't need any connection to any device prior to establish the connection to the network.
But with none of my switches (2510, 2610, 2910 or 2530) I was able to use local authentication. I've tried with my Manager and Operator credentials, changing or not the usernames, I always get a never ending authentication.
As some forums mention it the
password port-access command is not available in the switches,
So it is impossible to configure correctly the authenticator in local mode.
So IMHO there is no way to get a strict control over the inter-switches ports if someone get a physical access to a switch.
I can't use protected ports in inter-switches links because they are limited to 8 mac-addresses learned.
Definitely, I think that 802.1x + local authentication is the only way.
Does someone have an idea on howto do this ?