Block cloned MAC address in WCS
Hi I would like to ask if I can block a user who connects to our network and generates high usage of internet.
The problem is every time he clones his MAC address.
PS ...( WITH OUT SETTING A PASSWORD ON THE APs AND WITH OUT SWITCHING THEM OFF)
THX
Chris
Only way to prevent it is to do exactly what you mentioned you don't want to do and that's set a password or eap security. Layer 2 hacks have been around for ages. Very hard to defend unless you lift security requirements.
Sent from Cisco Technical Support iPad App
Similar Messages
-
Blocking a MAC address with WCS
I recently deployed a 4404 with WCS and want to block a MAC address from connecting to our wireless because of Deauth floods. We have around 40 APs. I am thinking it should be done through a template, but not sure. Can anyone lead me to right document that explains the process of blocking specific MAC addresses?
thanks,
JonathanHi Jonathan,
Have you see this doc;
Configuring a MAC Filter Template
Cisco Wireless Control System Configuration Guide, Release 4.0
http://www.cisco.com/en/US/products/ps6305/products_configuration_guide_chapter09186a00806b7273.html#wp1068145
Hope this helps!
Rob
Please remember to rate helpful posts..... -
WRT54g Version 5.0
Firmware 1.02.8
I have been able to figure out how to block Wireless MAC addresses, and that has been VERY helpful.
( Wireless Tab -> Wireless MAC filter -> Permit Only -> and so on.... )
But I am cannot find out how to block certain wired based MAC addresses. Is this possible?
Solved!
Go to Solution.Yes. With access restrictions.
Of course, as MAC addresses are easily changed, cloned and detected on wireless connections (as MAC addresses are always transferred unencrypted) the wireless mac filter is useless for wireless security. On the wireless, use WPA2 Personal with AES and a strong passphrase. The wireless MAC filter won't make a difference in regard to your WPA2 protected wireless network.
Same applies to wired devices and access restrictions. Of course, the difference with wired connections is that you have better control over you can plug into your router and who not... -
Is it easy to block a mac address on airport extreme?
I have plans of changing my router to an apple airport extreme. Is it easy to block a mac address on apple's airport extreme?
So you can just control the time that they're connected.
You can set up daily time limits to allow a specific device to connect at the times that you specify. It is possible to set up different "rules" for each individual device......so your Mac could connect anytime, but other devices connect only at the times that you specify.
It is also possible to set up a rule to not allow a device to connect at all at any time. That would be called the "No Access" rule.
In order for the PS4 to connect automatically, a router needs to have UPnP service. The AirPorts do not have this. If you want to connect the PS4 to the AirPort, you will need to plan to set up the port mapping manually. -
Blocking all MAC addresses except for the ones you allow
I have a Cisco Aironet 1200 Access Point. I want to block all MAC addresses from accessing the access point, except for the ones I've allowed. First I went to the Address Filters page and clicked on Allowed, then listed all the MAC address I want to be able to access the access point. Then I went to the Ethernet Advanced page, and set the Default Multicast Address Filter to Disallowed, and the Default Unicast Address Filter to Disallowed. Then I went to the AP Radio: Internal Advanced page, clicked on the Advanced Primary SSID Setup link, and set the Default Unicast Address Filter to Disallowed. Accept Authentication Type is set to Open with Shared and Network-EAP cleared, and the Require EAP check boxes are all cleared.
When using a computer whose MAC address is not listed on the Address Filters page, I am still able to connect to the network through the access point. I am also able to connect to the access point from any pc on my network by entering its IP address in Internet Explorer.
What do I need to do to block any pc without a listed MAC address from connecting to the access point?
Thanks, JeffHere's the instructions and URL on how to create an MAC based filter:
Follow these steps to create a MAC address filter:
Step 1 Follow the link path to the Address Filters page.
Step 2 Type a destination MAC address in the New MAC Address Filter: Dest
MAC Address field. You can type the address with colons separating the character pairs
(00:40:96:12:34:56, for example) or without any intervening characters (004096123456, for example).
Note If you plan to disallow traffic to all MAC addresses except
those you specify as allowed, put your own MAC address in the list of allowed MAC
addresses. If you plan to disallow multicast traffic, add the broadcast MAC address
(ffffffffffff) to the list of allowed addresses.
Step 3 Click Allowed to pass traffic to the MAC address or click Disallowed
to discard traffic to the MAC address.
Step 4 Click Add. The MAC address appears in the Existing MAC Address
Filters list. To remove the MAC address from the list, select it and click Remove.
Step 5 Click OK. You return automatically to the Setup page.
Step 6 Click Advanced in the AP Radio row of the Network Ports section at
the bottom of the Setup page for the radio you want to configure. The AP Radio Advanced page appears. -
Blocking Client MAC Addresses at Sup720/WLSM?
I want to block client MAC addresses at the central 6500, where the WLSM is located. Is there any solution like "dot11 association mac-list" at the accesspoints? I tried an "access-expression" on the tunnelinterface, but it did not work. Any suggestions?
Here is an example of config
switch(config)# mac access-list extended ARP_Packet
Switch(config-ext-nacl)# permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0
Switch(config-ext-nacl)# end
Issue the vlan access-map map_ name command and the action drop command, which is the action to perform.
The vlan access-map map_ name command uses the MAC access list that you created to block ARP traffic from the hosts.
Switch(config)# vlan access-map block_arp 10
Switch (config-access-map)# action drop
Switch (config-access-map)# match mac address ARP-Packet
Add an additional line to the same VLAN access map to forward the rest of the traffic.
Switch(config)# vlan access-map block_arp 20
Switch (config-access-map)# action forward
Choose a VLAN access map and apply it to a VLAN interface.
Issue the VLAN filter vlan_access_map_name vlan-list vlan_number command.
Switch(config)# vlan filter block_arp vlan-list 2 -
Blocking a MAC address from Authentication to AIR-AP1230 12.3(8) JA
Anyone know the CLI commands for blocking a single MAC address from Associating to an AIR-AP1230 running 12.3(8)?
This link may help as well:
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a0080184aa0.html#91655
Change the Action to Block, make the Default Action Forward All, and make the mask 0.0.0.0. Apply this to the dotllradio interface (or sub-interface), filtering inbound packets. This should block the specified MAC address only. -
Can iPhone 6 hotspot block unknown MAC addresses?
i am somewhat concerned that someone can hack my iPhone 6 hotspot.
is there a way to block devices with unknown MAC address from connecting to the hotspot?
is such a feature available, feasible, desirable?
anybody?
regardsPlease anyone?
-
Block curtain MAC-addresses on my WRT54GL
Hello
I use a Linksys WRT54GL for my wireless setup in my apartment. I have noticed that there sometimes are unknown MAC-addresses in "DHCP Clients Table". I guess it is my neighbours or someone on the street.
Am I able to block a curtain MAC-address, so I precent them to connect to my network. And how?
Best regards,
MAthiasUnder the Wireless tab,click on the Wireless Mac Filter>>>>choose the option enable and click on the option "document.write("Prevent PCs listed below from accessing the wireless network.") Prevent PCs listed below from accessing the wireless network" and then,click on Edit Mac Filter List to enter the Mac Address which you want to prevent.
-
No option of cloning MAC address
I was about to order the 2TB Time Capsule when I did an internet research and found out that there is no way to clone the MAC address of my existing Netgear router to the Time Capsule.
Last time I requested a change from my ISP it took several phone calls and left me without internet access for a week. I'm not willing to go through this again.
That's bad - for me since I really wanted the Time Capsule; - and for Apple because I won't buy it.It's really too bad the Airport and Time Capsule do not support changing the MAC address. Editing the MAC address is a technology (an officially sanctioned technology BTW) that's been around as long as Ethernet (and was present on Token Ring as well)
http://en.wikipedia.org/wiki/LocallyAdministeredAddress
Right now I have a bug where one of my computers keeps dropping its WiFi association, but there is a workaround to set the first byte of the MAC address to a nonzero value. (I've confirmed all my apple gear has zeroes as the first byte). I can change this on my Belkin N1, and on every other machine, Apple or not, that I own. But, I can't change the address on my Airports. Changing the MAC address is a legitimate part of the 802 specification and I wish it were supported on the Airports. I have a significant investment in them, this minor technical detail would be an unfortunate reason to not be able to use them as access points. -
Hi, need help on blocking a specific MAC address on an interface. On that interface it is cascaded to a hub.
Config# mac-address-table permanent aaab.000f.ffef e0/2
- is this the right command and can i list all the MAC address that is allowed to run? or there is a command to just block one MAC address and the rest is ok?
OR
Config# mac-address-table restricted static aaab.000f.ffef e0/2 e0/3
-almost the same as above but more restrictiveWhich switch is this ?? What model number and the IOS version.
What I can think of is using 2 ways :
1 Configuring the MAC Acl and applying it to the same port but this block only non-ip traffic.
2. Configure port security and secure you addresses as static and give the number of max-counts the same the as number of amc you want to allow which are connected to hub.
regards,
-amit singh -
WCS 7.0 Vendor mac-address list
We are doing a study on our public WiFi to identfy client connections based on wireless Vendor. about 40-50% of the clients wireless Vendors are "unknown". Is there a way to update the list of Vendor mac-addresses in WCS?
Regards
Chris KaufmanI doubt there will be any further releases of WCS code, as it's been EOL.
http://www.cisco.com/en/US/prod/collateral/wireless/ps5755/ps6301/ps6305/end_of_life_c51-556750.html
You would need to work a migration to NCS at this point.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
I need to change the MAC Address for Airport on MacBook
I have a specific need to change my son's Airport MAC address as his school requires the use of USB network cards that aren't compatible with MACs. These cards are needed because the school's router uses MAC address filtering.
Before we upgraded his Mac to Snow Leopard, we were able to change the MAC address to the MAC address of the useless dongal the school supplied. We basically created an AppleScript program that ran the "sudo ifconfig en1 ether xx:xx:xx:xx:xx:xx" and all was good.
This command no longer works for changing the MAC address. We tried it as root user as well and by typing it into the terminal window as root. After running the command, we can run "ifconfig en1" and it does display the new mac address but when we turn the airport on and try to connect, it just hangs and won't connect.
Our other non-Snow Leopard still works fine after running the commands so I'm guessing Apple disabled this functionality. It's hardly a security issue by being able to change your mac addres.
Is there a new way to accomplish this? I've searched everywhere.
Thanks!Would an easier solution be to provide the school's IT admin with your mac address and have it added? If they can add a block of mac addresses for the usb dongles, they can add more for machines that cannot use the dongle.
Also: "It's hardly a security issue by being able to change your mac address."
While it may not be a security issue for your machine, it is a security for the school network who is using mac address filtering as hopefully only one part of their wireless security.
That being said, have you read this?
http://osxdaily.com/2008/01/17/how-to-spoof-your-mac-address-in-mac-os-x/ -
Should I use a MAC address to validate users for my program?
I'm writing a graphical console program and I was planning on using a few methods for security. One being to block a user from logging in again if they don't type the correct username and password within three tries until the root user authenticates it again. I was planning on blocking the IP address but someone suggested blocking the MAC address since no 2 have the same ID and it's burned in, not to mention alot of people have dynamic addresses. However, I was reading that MAC addresses are mainly used in ethernet cards. I thought any device that has network capabilities has to have a MAC address? Is it good to use a MAC address for blocking someone from logging in again or what?
Its very easy to change your MAC address. If you have a wireless router (which you can buy for like 20 dollars) then you can tell it what MAC address to use. So I agree, don't use a MAC address to block users from your program. Also are you sending the username/password over the network in clear text? If so, these can be intercepted. So doing that may be a bad idea; it depends on how much security you want for your application.
-
ok, only 1 MAC is allowed on my home network however i had changed my MAC address on my ipod and macbook to be the requested address and everything was working perfectly (two computers with the same MAC browsing at the same time) then the airport was reset and now when any of the computers attempts to connect to the internet for the others it drops out. any ideas?
i have access to all computers but not the airport (unless someone tells me the terminal command i read of somewhere) thanks in advanceWhy don't you disable the ACL (access control list) rather than messing around with cloning MAC addresses? As you have noticed, cloning MAC address is rather easy, so ACL won't deter someone who's trying to gain access to your wireless network.
Maybe you are looking for
-
I am trying to install os x yosemite and it has frozen and nothing has happened for over a day now?
I have been trying to download os x yosemite on to my macbook air version 10.9.5 since yesterday and its currently frozen at 870 MB. An error keeps appearing and starts to re download but nothing happends
-
The iTunes Store loaded a U2 album on my iPhone I did not order
The iTunes Store loaded a U2 album on my iPhone I did not order. Did someone hack my account? I don't see any charges for these on my credit card. How do I delete these? They use up too much memory on my iPhone. How do I prevent this from happen
-
How can I copy tables from Numbers to Pages without formula?
hi everyone i need help How can I copy tables from Numbers to Pages without formula in the cells?
-
I have an Internet connection, but I can't get Firefox to work. None of the browsers on my computer work, so I can't uninstall & reinstall.
-
"Logic Pro Quit Unexpectedly" on installation. Any easy solution??
I am getting the dreaded "Logic Pro Quit Unexpectedly" on installation/moving Logic from my G5 running 8 to my intel iMac (details below) for 9. Any one who can read this and offer an easy solution?? No idea why . . i've run every update and repaired