topic I have never been a fan of in Network Access Control

User + Mac Address Authorization Policy

christoulakis — Mon, 11 Mar 2019 05:00:50 GMT

Hi,

Is there any option to bind a user who is authorized correctly from external identity with the mac-address of his workstation ?

The point is to give him access to the network only from a specific Workstation and denied him from any other workstation.

Thanks

Couple of questions:1. What

nspasov — Thu, 11 Sep 2014 21:49:00 GMT

Couple of questions:

1. What type of Radius server are you using?

2. When do you want the "binding" to happen? During the authorization process or do you want to manually specify the mac address for every single user?

3. What type of authentication are you using? PEAP, EAP-TLS, etc?

Thank you for rating helpful posts!

1. ISE 1.2 is having the

christoulakis — Fri, 12 Sep 2014 06:14:21 GMT

1. ISE 1.2 is having the role of Radius

2. Really i don't know I guess the binding should be happen before the login as i don't want the user to login from any other PC.

The key point on this scenario is a user to login on the corporate wired network only from his PC (User+MAC) and denied from any other PC.

If you want describe me both ways to understand which might fit in my case.

3. The PC has the native supplicant of Windows and authenticated through PEAP MS CHAPv2

Thanks in advance

is the user authentication

KiloBravo — Fri, 12 Sep 2014 16:31:27 GMT

is the user authentication referencing AD?

I have never been a fan of

nspasov — Fri, 12 Sep 2014 17:34:45 GMT

I have never been a fan of trying to lock down things via mac addresses since mac addresses can be easily spoofed.

If you are already using PEAP and if your machines are part of AD then an easier and more secure solution would be to use "Machine (PEAP)" based authentication. That way ISE will consult with AD and confirm that the authenticating machine is both joined to the domain and enabled.

Thank you for rating helpful posts!

Hello,Yes!!! I will agree

christoulakis — Sun, 14 Sep 2014 06:28:49 GMT

Hello,

Yes!!! I will agree that mac is an easy way of spoofing. but i' m trying to find my options on this scenario.

The group will consist of 2 users that will be part of my domain. (probably on these specific users I should deploy MAR)??

But another one that will work with team will be external support and he will be coming with his laptop.

Thanks

MAR is also not ideal as it

nspasov — Mon, 15 Sep 2014 15:01:25 GMT

MAR is also not ideal as it comes with tons of limitations 🙂 In addition, it also uses the MAC address of the machine as the username which is sent in plain text 🙂 So I would not recommend MAR.

Why don't you try PEAP machine based authentication? This will allow only domain joined (corporate owned) computers to authenticate. If the computer is not part of the domain, authentication will fail.

Thank you for rating helpful posts!