Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4842
Views
0
Helpful
5
Replies

MAC address Filter list in NAC

Go to solution
ralicaway
Level 1
Level 1

‎11-30-2010 02:32 AM - last edited on ‎02-21-2020 11:21 PM by Community Manager

Hi Faisal, how are you? I have a question about this filter list in the NAC appliance. I want to do those recognized mac addresses by NAC appliance are the one only to be get in to the network. However if a workstation mac address is not in the filter list, it not be able to get in to the network. Is the NAC has capability of doing it? Please let me know. Thanks.

Richard

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Lauren Sullivan
Level 1
Level 1

‎11-30-2010 11:56 AM

I'm not Faisal, but....

Do you want to do additional authentication (like LDAP or such) or just based on the MAC address?  If you want to do just via the MAC, you can add them to the filter list and then either set them to "allow" to just allow the traffic, "role" to put them in a specific role, or "check" to apply posture assessment and then put them in the role.  If no other authentication servers are configured, users who weren't in the filter list would not be able to authenticate, and they would be stuck in the unauthenticated VLAN.

Thanks,

Lauren

View solution in original post

0 Helpful

Go to solution
Nate Austin
Cisco Employee
Cisco Employee

‎11-30-2010 11:59 AM

Hi Richard,

As long as your client is Layer 2 adjacent to the CAS, and in In-band mode, then you can put in a MAC Address filter of type DENY for a mac address and that will cause the CAS to block traffic from that client.

If in an out-of-band mode, when the CAM gets a mac-notification trap for a mac address that it has a DENY filter for then it will move the port to the authentication vlan, so it should never move the client to the access vlan, and thus not allow traffic from it to the network.

On the other hand if you make the type ALLOW then it will do the opposite - allow traffic from them in in-band mode, and move their port to the trusted access vlan in out-of-band mode.


If your client is a Layer 3 hop away from the CAS it is possible but a little tricker since the CAS doesn't know the client's mac address right away. You can see all possibilities when going to create a new filter on the CAM - it has a table on the bottom with the different combinations.

Thanks,

Nate

View solution in original post

0 Helpful

Go to solution
Nate Austin
Cisco Employee
Cisco Employee
In response to ralicaway

‎12-06-2010 05:05 AM

Hi Richard,

Yes, everything should be the same on a Standard, Super, or Lite Manager. The only difference is the number of CASs that each can manage.

As for Active-X controls, as far as I know (at least with Windows XP) the users have to be local admins to run Active-X. I found the link below on Microsoft Technet that states that in Vista and later you can enable per-user non-admin Active-X capabilities:

http://msdn.microsoft.com/en-us/library/dd433049%28VS.85%29.aspx

On XP you might need to use the Java version of the Launcher by changing the settings on your User page.

Thanks,

Nate

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Lauren Sullivan
Level 1
Level 1

‎11-30-2010 11:56 AM

I'm not Faisal, but....

Do you want to do additional authentication (like LDAP or such) or just based on the MAC address?  If you want to do just via the MAC, you can add them to the filter list and then either set them to "allow" to just allow the traffic, "role" to put them in a specific role, or "check" to apply posture assessment and then put them in the role.  If no other authentication servers are configured, users who weren't in the filter list would not be able to authenticate, and they would be stuck in the unauthenticated VLAN.

Thanks,

Lauren

0 Helpful

Go to solution
Nate Austin
Cisco Employee
Cisco Employee

‎11-30-2010 11:59 AM

Hi Richard,

As long as your client is Layer 2 adjacent to the CAS, and in In-band mode, then you can put in a MAC Address filter of type DENY for a mac address and that will cause the CAS to block traffic from that client.

If in an out-of-band mode, when the CAM gets a mac-notification trap for a mac address that it has a DENY filter for then it will move the port to the authentication vlan, so it should never move the client to the access vlan, and thus not allow traffic from it to the network.

On the other hand if you make the type ALLOW then it will do the opposite - allow traffic from them in in-band mode, and move their port to the trusted access vlan in out-of-band mode.


If your client is a Layer 3 hop away from the CAS it is possible but a little tricker since the CAS doesn't know the client's mac address right away. You can see all possibilities when going to create a new filter on the CAM - it has a table on the bottom with the different combinations.

Thanks,

Nate

0 Helpful

Go to solution
ralicaway
Level 1
Level 1
In response to Nate Austin

‎12-05-2010 07:18 PM

Does it work in CAM Lite manager?

Another issue is the authentication always failed because of the active x control cannot install to domain user. It will onbly allow if I logon to admin rights. I allowed the security in the internet option to "run active x control and plugins" and the other stuff that belong to active x control. I did the allowing of of the active x control through the GPO. We are using windows 2003 and our client is windows XP. Please see attachment.

Please help. Thanks.

Richard

Preview file
53 KB
0 Helpful

Go to solution
Nate Austin
Cisco Employee
Cisco Employee
In response to ralicaway

‎12-06-2010 05:05 AM

Hi Richard,

Yes, everything should be the same on a Standard, Super, or Lite Manager. The only difference is the number of CASs that each can manage.

As for Active-X controls, as far as I know (at least with Windows XP) the users have to be local admins to run Active-X. I found the link below on Microsoft Technet that states that in Vista and later you can enable per-user non-admin Active-X capabilities:

http://msdn.microsoft.com/en-us/library/dd433049%28VS.85%29.aspx

On XP you might need to use the Java version of the Launcher by changing the settings on your User page.

Thanks,

Nate

0 Helpful

Go to solution
ralicaway
Level 1
Level 1
In response to Nate Austin

‎12-09-2010 04:04 AM

Thanks. It works in java applet. I just make a script to make it install to the client workstation though standard user account. Now the jave is  pushing to the client.

In regards with the mac address filtering in nac it works. The login is bypass but apply posture assesment and run the web agent. But is there a way to make the client not to get authenticated once there mac address is not in the filter list. Because what happen is when the client mac address is not in the filter list they can still go for authentication login. What I want they cannot able to do it unless they submitted there mac address. Is that possible or I need another device to filter the mac address.

Regards,

Richard Alicaway

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card