From owner-freebsd-security@FreeBSD.ORG Fri Apr 9 09:29:45 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77F7216A4CE for ; Fri, 9 Apr 2004 09:29:45 -0700 (PDT) Received: from orhi.sarenet.es (orhi.sarenet.es [192.148.167.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0323443D31 for ; Fri, 9 Apr 2004 09:29:45 -0700 (PDT) (envelope-from borjamar@sarenet.es) Received: from [127.0.0.1] (matahari.sarenet.es [192.148.167.18]) by orhi.sarenet.es (Postfix) with ESMTP id 993DF7A49DD for ; Fri, 9 Apr 2004 18:29:41 +0200 (MEST) Mime-Version: 1.0 (Apple Message framework v613) In-Reply-To: <611C2010-86E9-11D8-A962-000A95776E22@freebsd.ady.ro> References: <611C2010-86E9-11D8-A962-000A95776E22@freebsd.ady.ro> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <241D3934-8A43-11D8-863D-000393C94468@sarenet.es> Content-Transfer-Encoding: 7bit From: Borja Marcos Date: Fri, 9 Apr 2004 18:29:58 +0200 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.613) Subject: Re: Q: Controlling access at the Ethernet level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2004 16:29:45 -0000 > We have thought about using static MAC entries per port on managed > switches installed at the client endpoints, but that would require a > overwhelming budget. We are also thinking about L2TP and PPPoE, but I > am uncertain about compatibility. > > What would you recommand ? Are there any other elegant solutions ? > > I also heard about 802.1x technology and seems to be an interesting > and professional alternative; I just don't know how well supported is > on the server side, namely FreeBSD. 802.1x needs switch support. A switch supporting 802.1x will probably support MAC address filtering at the port level. The same can be said about using VLANs; you would need a switch with multi-VLAN port support, something quite variable between manufacturers. Anyway, stackable switches in the $600 - $1000 price range would do it. Look at Cisco Catalyst or HP ProCurve. (Look at the low end of both, not the high-end models) Borja.