09-11-2014 04:42 AM - edited 03-10-2019 10:00 PM
Hi,
Is there any option to bind a user who is authorized correctly from external identity with the mac-address of his workstation ?
The point is to give him access to the network only from a specific Workstation and denied him from any other workstation.
Thanks
09-11-2014 02:49 PM
Couple of questions:
1. What type of Radius server are you using?
2. When do you want the "binding" to happen? During the authorization process or do you want to manually specify the mac address for every single user?
3. What type of authentication are you using? PEAP, EAP-TLS, etc?
Thank you for rating helpful posts!
09-11-2014 11:14 PM
1. ISE 1.2 is having the role of Radius
2. Really i don't know I guess the binding should be happen before the login as i don't want the user to login from any other PC.
The key point on this scenario is a user to login on the corporate wired network only from his PC (User+MAC) and denied from any other PC.
If you want describe me both ways to understand which might fit in my case.
3. The PC has the native supplicant of Windows and authenticated through PEAP MS CHAPv2
Thanks in advance
09-12-2014 09:31 AM
is the user authentication referencing AD?
09-13-2014 11:28 PM
Hello,
Yes!!! I will agree that mac is an easy way of spoofing. but i' m trying to find my options on this scenario.
The group will consist of 2 users that will be part of my domain. (probably on these specific users I should deploy MAR)??
But another one that will work with team will be external support and he will be coming with his laptop.
Thanks
09-15-2014 08:01 AM
MAR is also not ideal as it comes with tons of limitations :) In addition, it also uses the MAC address of the machine as the username which is sent in plain text :) So I would not recommend MAR.
Why don't you try PEAP machine based authentication? This will allow only domain joined (corporate owned) computers to authenticate. If the computer is not part of the domain, authentication will fail.
Thank you for rating helpful posts!
09-12-2014 10:34 AM
I have never been a fan of trying to lock down things via mac addresses since mac addresses can be easily spoofed.
If you are already using PEAP and if your machines are part of AD then an easier and more secure solution would be to use "Machine (PEAP)" based authentication. That way ISE will consult with AD and confirm that the authenticating machine is both joined to the domain and enabled.
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide