Creating NAC remediation rules based on MAC address
Hi All,
Any idea please. Is it possible to control PCs allowed on the network based on MAC address list in NAC? I.e Create a list of MAC addresses for PCs on my network in NAC; then each pc granted network access (passed NAC authentication and remediation) on the network only if its MAC address is in that list.
So my checks will be:
1. Have antivirus updated
2. Have antispyware updated
3. Have windows updates installed
4. Have MAC address registered in the MAC list
5. etc.
Then after the above checks pass --> GRANT network access.
regards,
Stanlaus.
I have been doing some of this, and while it does provide some of the functionality that is lost without the ability to apply rules only to read messages, it is not a complete solution. One of the biggest drawbacks is that it is not easy to selectively limit what new mail shows up the smart mailbox. One approach that works, sort of, is to limit the smart mailbox to only messages from people in my address book. However, not all relevant messages are from people already in my mailbox, so it requires constantly double checking to make sure that things are slipping through the cracks.
The best thing about being able to apply rules, after receiving them, based on the status of a message is that it puts the control in the users hands. It allows you to selectively apply rules, only when you want to apply them. Rather than always/never, you have the ability to apply rules "sometimes/as needed." It allows for fuzzy logic, rather than hard conditions.
Similar Messages
-
Tcl script to change access vlan based on MAC address
Hello all. I'm looking for some input on how best to handle this situation. I have a large nework with a lot of remote offices where we have limited control over users moving around patch cables. We're using vlan-based QoS in these office to mark voice, video, data. etc. The problem I'm having is that our users are moving video conferencing equipment to different interfaces on our swithes, which puts the VTC unit in a different vlan, fouling our QoS policy. They then call and complain about poor video quality.
I'm trying to come up with a way to automate putting the interface in the video vlan if a VTC unit is connected. All of our video conferencing units are from the same vendor, so they have same OUI in the MAC address. The script I've been working on looks for a line protocol up event, then checks to see what access vlan is configured on the interface. If the interface is already in the video vlan, the script exits. if the interface is not in the video vlan, the script looks at the MAC address table for the interface and if the OUI matches a VTC unit, the script changes interface configuration. My question is, is there a better event to trigger script execution? Maybe a MAC notification trap, or something else? Line protocol transitions when the access vlan is changed, so the current script runs twice: once when the interface first comes up with a new connection, and again when the vlan is changed.
Script is attached. Any help or advice is appreciated!Does your video equipment use CDP? If so, then you can use the neighbor-discovery event detector to only react when you see a media endpoint being connected to a port. Yes, MAC address notifications (the mat ED) can also work if you know the MACs of your media endpoints.
-
DHCP to send different Gateways based on MAC-Addresses
Hello,
I would like to use the built-in DHCP server to send out different Gateways based on the clients' MAC-Addresses.
I have already managed to assign "static" IP-Adresses using the DHCP server to specific MAC-Adresses.
Is this possible or do I need additional software ?
thanks for your helpThe basic IP networking construct here is the IP subnet (and the subnet mask); that's how you set up groups of related network hosts in an IP network. Hosts within a subnet tend to have the same DNS and gateway router and related pieces configured, and one DHCP server and such. (That's not strictly necessary, but...)
Launch Server Admin, select the DHCP service, set up subnets via the DHCP service by subnet mask, and establish DNS and default router settings there for each of the subnets.
Then set up static maps for the MAC address(es) associated with the hosts, and drop the static IP addresses into the particular subnet you want the host associated with.
You will want to leave room in the subnet for both the DHCP allocations (if any) and for the static hosts mapped into the subnet via MAC address.
There well may be a better way here, but this will get you where you want. (And the Network Services Administration manual - which you'll need to read - does seem a bit confusing around this particular sequence.)
nb: I don't have a "scratch" Leopard Server configuration handy to test and confirm this sequence.
nb: Xserve boxes require a little extra thought, given each Xserve box tends to have four MAC addresses. -
VLAN Select - Interface dirty - Index based on Mac Address
Hello Experts,
we are testing the VLAN Select Feature with a 5508 controller, version 7.0.230 and two /23 DHCP Scopes on an external dhcp server. Our cookbook is following document:
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bb4900.shtml
Now i have a few questions
1 - Is there any chance to see the calculated index based on the Mac Address to which the interface is assigned to the client. I try "debug client MAC-ADDRESS" and "debug dhcp", Maybe i overlook it, but i can't find any information to that index.
2 - Is there a cli command to delete the index? It would be great for testing purposes and troubleshooting.
3 - Is there a cli command to look, if the interface is "dirty"?
4 - Our DHCP Server has a lease time of 5 Minutes. Is it possible to set the interface dirty time to a value less than 30 minutes?
Best Regards,
MichaelI know this is an old post - but I ran across it trying to find an answer to the same questions.
Did you ever find any answers? I did find an answer to question 3, show interface group detailed.
But I haven't found a way to delete the indexes short of rebooting all the controllers, and apparently you would have to reboot them all at the same time. -
IAS authentication with 200 series switches based on MAC addresses
Hi,
I try to implement a solution based on a 2003-Server with IAS and a switch (from the 200 series) just to authenticate machines with their MAC addresses.
I think the config on the switch is ok but I'm facing questions about parameters to put in IAS...
Can someone help me or give me a link to a good document that explains the 'how-to'?
Many thanksI have just done some more testing.
I added the authentication mac-move permit command to the switch and it now almost works as expected.
The scenarios now are:
Machine without dot1x supplicant plugged into phone, when unplugged the switch immediately deletes the mac address from the port.
Machine with dot1x supplied plugged into phone, exactly the same.
Machine without dot1x plugged directly into port exactly the same
Machine with dot1x plugged directly into port exactly the same.
The problem is if someone has a machine running a dot1x supplicant and hosting a VM.
In that case as long as you move to a different port on the same switch it works fine (as the workstation reconnects the mac-move process works).
If you move this machine from one switch to another with the IP phone installed. the de-auth message removes the VM or the host from the original switch mac table and leaves one of the old addresses behind.
I suppose a solution would be to ban all VMs but that won't go down well.
I don't want to change the authentication method as we will have machines without a supplicant that need to connect to resources (i.e. using mab)
Thanks for your help (and a faster reply than my support company who still haven't rung me back).
Giles -
User Control System based on MAC address?
I wonder how can I make a user control system for my website based of visitor's computer's MAC addresses?
Is it possible to get MAC address of visitors of my site in FLASH? If possible how?
Thanks for reply in advanceNot possible through flash player. You may advocate javascript approach and use it in combination with Flash.
-
Create Incoming Mail Rule Based on Embedded HTML in Emails in Mac Mail?
I want to filter a selection of incoming emails in MAC MAIL that have an image embedded into the email. The image is the only thing that will distinguish the emails apart and so I'm wondering if it is possible to filter based on embedded html in an email? If so how? Thanks!
There are no embedded images in HTML mail; it's an attachment. If you want to filter out messages with attachments of one or more types, you need to create a Rule that looks for that criteria and then transfers those messages to your desired location.
For example, if you wanted to filter out messages that contained .gif images, you'd setup a Rule where "Any Attachment Name" "Ends with" ".gif" and then choose what you want to happen to those messages.
And the program is Mail; not MAC MAIL. -
ACS V4.1 How to separate MAC addresses in an Authentication rule....?
I'm configuring Agentless Authentication based om MAC addresses sendt from the access switch using MAB (MAC Authent. Bypass). I got it up and running, but with just one MAC address configured in the Authentication rule. When I try to configure more than one address in the rule, I get an error saying this is not a MAC address. How do you separate the MAC entries in the same Authentication rule. The doc says you can configure 10.000 addresses in one rule.
The ACS can authenticate MAC addresses sent from an AP/Switch. A properly configured AP/Switch will attempt to authenticate a MAC address using Secure-PAP authentication with the ACS. The MAC addresses are entered into the ACS as users, with the username and password being the MAC address.
1. From the ACS main menu, click on the USER SETUP button.
2. In the USER text box, type the MAC address to add to the user database. Use no dashes, periods,
or any other delimiter.
At the USER SETUP screen, enter the MAC address in the SECURE-PAP PASSWORD text box.
3.Click the SUBMIT button.
Adding the AP/Switch to the ACS server
1. From the ACS main menu click on the NETWORK CONFIGURATION button.
2. Click on the ADD ENTRY button.
3. Configure the DNS name of the AP, the IP address of the AP, the RADIUS shared secret and the
Authentication method.
4. Make sure to select RADIUS (Cisco Aironet) in the AUTHENTICATE USING drop down menu.
5. To complete, click the SUBMIT+RESTART button. -
Mac-Address Different format for Authorization on Cisco ISE
Dear All,
I have problem with my Cisco ISE,
This is the design :
ISE ---- Core Switch ---- 3Com Switch --- PC User
My Case:
Authorization is based on Mac-address and Active Directory,
But user with PC that connect to 3Com swtich is Deny by ISE because the Format Mac-address is different with Cisco,
Mac-address Cisco format : XX:XX:XX:XX:XX:XX
Mac-address 3Com format : XXXX-XXXX-XXXX
3Com Switch type is TRICOM 4210 26-PORT.
Anyone have experience with this? and how change the mac-address format in 3Com so user can authorized by Cisco ISE.
note:
authorization based on Active Directory is not problem with 3Com Switch.
Based on my experience, Different product is different format mac-address, so this case not only for 3Com Switch.
Thanks,
Arika WahyonoI do not think Cisco will add these vendors to the supported switch matrix because then it would be a support issue that cisco would have to deal with, much like most of the AD issues I experienced when I worked in TAC. Your best bet would be to run the evaluation license instance in a lab and have a 3com switch point against that.
Other than that I do not recommend upgrading to 1.2 without validating that the new "multi-vendor" MAB support will work on your switch.
PS- Keep in mind that my comments is just my opinion so you may need to open a TAC case for an official answer.
Tarik Admani
*Please rate helpful posts* -
IPv4 reservations check all of Option 61, not just MAC address
I am trying to use Server 2012 R2 DHCP to assign IPv4 addresses in a mixed network.
Most systems send a very brief Client Identifier (Option 61) which includes only hardware type and MAC address. Some systems (most importantly Fedora 21 in my case) send more information including an IAID, DUID type, and time in addition to hardware
type and MAC address. MAC address still comes at the end of the option.
I am attempting to use reservations to assign addresses to workstations, but DHCP doesn't seem to know what to do with the extended options sent by Fedora 21; it checks all of the client identifier against the MAC address and then rejects the request because
the client identifier has additional information. Has anyone found a server setting to resolve this? Once a Fedora client is set up it can be configured to send only the MAC address and hardware type in Option 61, but I am looking for something
that will work with the default options. It seems odd to me that DHCP requires a MAC address to identify clients in a reservation, but compares the MAC address to all of the contents of Option 61.Hi,
According to your description, my understanding is that DHCP server(Windows Server 2012) can’t reserve IP address to Fedora 21, due to extended options(61) sent by this client.
Windows DHCP server, reservation is based on MAC address. as you mentioned that DHCP server will check the message sent from the client, if the matched MAC address has been detected, reserved IP address will assign to the client.
As far as I know, there is no additional setting for Windows DHCP server to control the identifiable field of message sent from client.
Configure the Fedora client to send only the MAC address and hardware type in Option 61, could be a better way to resolve this problem.
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Device in the data base getting PXE aborted --unable to find machine using Mac address /resouce iD
hi
when I deploy osd to my unknown collection iam getting PXE aborted ..earlier we used to delete machines from sccm
by searching query based on Mac address .and clear last pxe advertisement option , but iam finding certain machines getting PXE aborted shows device in data base when we search these machines using mac address /resouce iD unable to find in sccm or
sccm data base . I have found some blogs where unknown collection parameters are changed to decommissioned value from "o" to "1"
but unable to build new unknown collection , its very difficult to delete machines from SCCM console every time when pxe aborted . machines are getting pxe aborted some way its known to SCCM ,its difficult to import machines every time before machines are
image .is there any permanent solution to override pxe aborted ,even systems are known to SCCM ,we are in sccm 2012 infrastructure
hoping a positive replay from all technical leads
thanks in advance
ankithHi,
"is there any permanent solution to override pxe aborted ,even systems are known to SCCM ,we are in sccm 2012 infrastructure"
I think there is not a permanent solution.
It could help if you first run the configuration manager report to locate a particular MAC address.
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Highlight an address on a web page and make new card based on the address?
Is there a way to highlight an address in another application, and then create a new card based on that address, where city, state, phone number, etc would all be parsed into the separate fields automagically?
As per the title really - anyone know of a method of including an email address on a web page without it being picked up by spam bots?
Impossible.
Usually if i want to avoid that, I just do a little form with a honey trap, but I'm working on a page that needs contact details for around 100 places, so doing 100 odd forms for a single page might be a little impractical....
Run it inside a script that parses an XML file based on the link's ID - one script, many links, no directly visible mail addresses (though, of course bots can still parse the XML file itself, if not in a hidden directory or something liek that).
Mylenium -
Using NAR to restrict access by MAC address
Hello All,
We have a solution where home users connect via ATM onto our network. Currenty their radius requests are passed onto Cisco ACS 3.3 and they are authenticated using RSA SecurID Fobs to an ACE server.
I am trying to look at an alternative to using a SecurID fob and restrict the end user's access based on MAC address.
I found this on the online documentation for ACS 3.3
"About Non-IP-based NAR Filters
A non-IP-based NAR filter (that is, a DNIS/CLI-based NAR filter) is a list of permitted or denied "calling"/"point of access" locations that you can use in restricting a AAA client. However, by entering an IP address in place of the CLI you can use the non-IP-based filter even when the AAA client does not use a Cisco IOS release that supports CLI or DNIS. In another exception to entering a CLI, you can enter a MAC address to permit or deny; for example, when you are using a Cisco Aironet AAA client. The format of what you specify in the CLI boxCLI, IP address, or MAC addressmust match the format of what you receive from your AAA client. You can determine this format from your RADIUS Accounting Log."
If I specify a clients MAC in any of the non IP NAR options (CLI, Port, DNIS)access is refused. I am using radius IETF and the only time I can see the MAC in the radius accounting logs is when I turn on the option to log cisco-av-pair. Nothing is being logged under CLI or DNIS, so I don't think I can restrict access based on MAC using a non IP NAR. Has anyone implemented what is referred to in the documentation above? Is it just applicable to cisco Aironet? Any ideas?
Thanks.A NAR is a definition, which you make in Cisco Secure ACS, of additional conditions that must be met before a user can access the network. Cisco Secure ACS applies these conditions using information from attributes sent by your AAA clients. So it is not device specific.
-
Script Automation of VM in SCVMM 2012 R2 Rollup 1 - Cannot retrieve Mac Address
Hi All.
I am creating a script for automation of VM
I have run into a problem, I get my vm created as it should( at least I think so) I can boot the machine and in there I see a MAC Address from the console view, I know the machine has a mac address.
I have tried to get my mac address like this, the result is blank
Get-SCVirtualNetworkAdapter-VM$VMName|SelectMACAddress
$ShowMacAddress.MACAddress
But if I go into the SCVMM Management console, and right click on my newly created machine and click refresh, my Mac Address suddenly shows up.
I have tried this link, but it does not work for me
http://social.technet.microsoft.com/Forums/en-US/2e312c16-1369-4f9e-8be3-9fbef697adf5/scvmm-get-mac-address-of-new-vm?forum=virtualmachingmgrhyperv
Please help me, I am stuck
Ricco
Ps. do I need to post the rest of my script?
http://social.technet.microsoft.com/Forums/en-US/2e312c16-1369-4f9e-8be3-9fbef697adf5/scvmm-get-mac-address-of-new-vm?forum=virtualmachingmgrhypervIf you are trying to get this information immediately after the VM creation, VMM may not have the information. To my understanding, once the VM is created and the VMM get the updates while refreshing the VM, these updates will get updated.
As a workaround, you could initiate a refresh immediately after the VM creation and then query the MAC.
Refresh-VM VMName
After a successful refresh, you should be able to query the mac address.
Optimism is the faith that leads to achievement. Nothing can be done without hope and confidence.
InsideVirtualization.com -
How to configure dot1x to check for mac address then to send to radius
hi,
is there any way on a switch to get a port to check a list of mac addresses then if the pc is not in that list send the request to a radius server. the radius we use is steelbelt radius.
cheers
tonyHi,
It looks you are looking for the mac authentication bypass (MAB) feature.
Please take a look at the feature in detail:
http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1205506.
You can authenticate devices based on MAC address.
Here is a step guide to configure it on older IOS releases:
http://preview.cisco.com/en/US/docs/solutions/Enterprise/Campus/IBD/MACAuthB.html.
12.2(50) and later IOS:
http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1196845.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Maybe you are looking for
-
Hello there, I just bought 2 new cartridges for my printer HP Photosmart c4600 All-in-one series and tried to print docs in color. - 1 HP 300 (CC640EE) Remanufactures High Capacity Black Ink cartridge - 1 HP 300 (CC643EE) Remanufactures High Capac
-
An unknown error occurred (0x80092013) what the **** is going on from last six month i am unable to access i tune store?pls give me solution which should help me to shortout this problem as soon as possible. i have not expected this from apple
-
Premiere element 10 ; no picture only sound
I have a big problem. I have Premiere Element 10. It has worked without any problem for many months, but now i have a prob... All the files are i n the project. When i try to play them i can´t see the pics anymore i only hear the sound. Also the safe
-
How to back-up ibook g4 on time capsulef
Hi, I have a 1Tb time capsule that i use to back-up my mbp with no problems -- runs great and I am very happy with the system. However, I would also like to use time capsule to back-up my wife's mac. She has an ibook g4 and runs mac os 10.4.11 so she
-
Degraded mirrored raid- won't rebuild
I've had 2 500 gig drives mirrored. When I set up the drives I did not check "automatically rebuild". I just discovered ( not too long after installing Leopard) that one slice was "damaged" and the raid was degraded. I tried to rebuild, but got an er