Nairil
2021-09-28 19:28:32
- #1
I would probably activate the MAC filter in this case.
The secure, upscale network in the single-family house
- Erstellt am 2020-06-06 23:00:54
Araknis
2021-09-28 19:34:40
- #2
Use 802.1x and block everything that does not identify itself.
Tarnari
2021-09-28 19:43:54
- #3
In this case, I would probably activate the MAC filter.
Anyone with a bit of experience can bypass that.
Use 802.1x and block everything that does not identify itself.
And this is exactly the point where I’m stuck.
Can I use a RADIUS server to prevent my DHCP from assigning an address? Also on the port?
Just to be clear, I’m not talking about access via Wi-Fi, but via cable.
Araknis
2021-09-28 19:55:12
- #4
Can I use a Radius server to prevent my DHCP from assigning an address?
You even need the Radius server. The yes/no decision is made before the IP assignment.
Also on the port?
I don't quite understand what you mean. Where else?
Just to make sure it's understood correctly, I'm not talking about access via WLAN, but via cable.
This is now even possible with WLAN, but cable is the "normal" application.
Tarnari
2021-09-28 20:07:19
- #5
Ok, how do I have to do that? Very simple structurally. I have an accessible port, want to control it. Now I want to connect everything I want there. TV, lamp, PC, access point, etc., but want to prevent a foreign device from getting into the network via DHCP. A brief structure and procedure would be great.You even need the radius server. The decision yes/no is made before the IP assignment.
I don’t quite understand what you mean. Where else?
This is even possible nowadays with WLAN, but cable is the "normal" application.
Araknis
2021-09-28 20:19:46
- #6
You need something on which the Radius server runs. For me, that's, for example, a pfSense. Then the allowed device must of course support 802.1x and know the Radius login credentials. These devices have a menu somewhere where you can activate this and enter the login data.
Just plugging something in doesn't work - or rather, what is the practical goal? At some point, you have to make the authorized device known to the system, either via simple MAC filtering or via Radius login credentials. How do you even come to a TV now? I thought you wanted to secure external ports? You hardly ever connect a TV or PC to the RJ45 socket of the outdoor AP at the terrace overhang? Inside the house (and I think you mean a private house), you normally don't have suspicious guests manipulating the LAN. "Vulnerable" ports in the guest room could then simply be put into a separate VLAN that is strongly restricted.
With Hikvision cameras, it looks like this, for example:
Just plugging something in doesn't work - or rather, what is the practical goal? At some point, you have to make the authorized device known to the system, either via simple MAC filtering or via Radius login credentials. How do you even come to a TV now? I thought you wanted to secure external ports? You hardly ever connect a TV or PC to the RJ45 socket of the outdoor AP at the terrace overhang? Inside the house (and I think you mean a private house), you normally don't have suspicious guests manipulating the LAN. "Vulnerable" ports in the guest room could then simply be put into a separate VLAN that is strongly restricted.
With Hikvision cameras, it looks like this, for example: