Password protect wired LAN?

The title is not a mistake, I really am talking about wired, not wireless.

Essentially, I was wondering if it was possible to password-protect a LAN wired network to enhance security and only allow computers knowing the password to join.

I thought about using MAC address filtering, but that is way too trivial to circumvent.

Any ideas?

Thanks!


Solution 1:

802.1x authentication will do what you're looking for. Your switches will need to support it and you'll need a RADIUS server (which isn't a big deal because there are Free and no-cost options for most mainstream operating systems). Depending on how you actually do the authentication (certificates deployed on client computers, username / password on the clients) you may have addt'l steps necessary (like deploying a PKI) to get 802.1x up and going.

If you're using a Microsoft server platform you can get some background from them here: http://technet.microsoft.com/en-us/library/cc753354(WS.10).aspx

Some Linux server background (as well as just good background about 802.1x) is available here: http://www.linux.org/docs/ldp/howto/8021X-HOWTO/index.html

Solution 2:

What you are looking for is called a captive portal. You would have to look around to find one that works with the switches you use though. Basically, all unauthenticated ports should be on their own isolated vlan. Once someone authenticates on a port, it would be moved over to the normal vlan, and the traffic would work normally.