Thank you for your response.

I am actually trying to block everyone, except for a handful of known MACs.

Any idea how to achieve that with an ASA 5510 ?

Hello Hermann,

As specified before this cannot be done unless running transparent mode..

Now there is an alternative you could try to use and that is the AAA authentication and MAC exemption mechanism.

With this you will be able to authenticate X traffic across your network ( let's say all HTTP traffic) but for some MAC addresses you will not authenticate,

so What will happen, as soon as an user not specified on the NAT exemption list attempts to connect , it will receive a prompt and he will not know the user and password and the session will be invalid

http://www.ciscopress.com/articles/article.asp?p=1552963&seqNum=4

Regards,

Julio Carvajal

Remember to rate all of the helpful posts

Thank you for your suggestion.

I was considering utilizing the MAC Exemption option, but I could not get it to work.

I think the problem is, AAA Authentication only supports http, https and ftp.

It does not support rdp.

Do I really have to add another appliance (i.e. switch) just for MAC filtering ?

One would think MAC filtering is the most basic feature of any firewall.

Any further ideas ?

Usually firewalls filter on layer 3 IP addresses, not layer 2 ethernet addresses.  Is there some reason filtering on IP won't solve your issue?

-- Jim Leinweber, WI state Lab of Hygiene

The main reason IP filtering won't work for us is because we are unable to predict a user's IP address.

Both authorized and unauthorized users are coming from a remote VPN appliance (corporate headquarters).

We are unable to determine if a user is authorized to use rdp based on his/her source IP address.

Hello Hermann,

Already explained the only possibility to make this happen while on routed mode,

Then you will need to determine whether you are going to do it or try to run on transparent mode