IP to MAC Binding for Static IP

Syed Moazzam Ali · ‎03-13-2013

I have a network of more then 1000 users with static IPs. We cant change Static IP and can not go for DHCP to acheive our task.

Different subnets exist and differnet user rules are defined. Now it happes that people change their IP and enjoy the services for higher rank people.

I am looking for a solution in which every user should be authenticated based on IP address with MAC binding. We define IP and MAC bind to each other. Every one come and should authenticate using MAC and IP binding.

shillings · ‎03-21-2013

If secure NAC is the priority, then I'd recommend checking out 802.1X protocol in conjunction with a RADIUS server. Basically, when someone connects to a port, they are allowed to communicate with a RADIUS server (using EAP). They must authenticate through RADIUS before the port is opened.

Additionally, the RADIUS server can relay a VLAN ID to the switch, based upon the end-user's account. The client device is then placed into the appropriate VLAN.

Note that RADIUS can also be linked to your local MS Active Directory.

If you use EAP-TLS, then both the switch infrastructure and client devices can be verified as genuine corporate devices, using certificates. Validating certificates through a Certificate Authority (such as Verisign) adds yet further security.

The new 3850 series switch has additional capabililties that make 802.1X easier to mitigate some of the drawbacks. For example, you can enable specific ports with 802.1X instead of the entire switch.

Whilst it would take some work to setup, I suspect it would require less day-to-day maintenance. It would also be a more secure and could lead the way to employees bringing in their own devices, if you wish.