Restrict vlan for mac address

Similar Messages

• 802.1x and wired dynamic vlans on MAC addresses

  Hi All,
  I would like to setup our new offices with dynamic vlans determined by the MAC address of the device connecting. So I need a database of MAC addresses in groups for which vlan they will go in, with separate vlans for printers and servers and computers and BYOD. If this can work for wireless too then even better.
  I've done some reading but am really struggling to find the information I need.
  We have a Windows domain and brand new 3850 Cisco switches.
  Can anyone steer me in the right direction (or tell me how to do it!) please?
  Thanks for reading.

  Hi, 
  So you need to perform MAB authentication. As you mentioned, you will need to create a DB of MAC entries.
  In order to configure the Windows server (2003 or 2008?) to assign the dynamic VLAN you need to define the Remote Access Policies and create the custom attributes. For example:
  Tunnel-Medium-Type. Select a value appropriate to the previous selections you have made for the policy. For example, if the network policy you are configuring is a wireless policy, select Value: 802 (Includes all 802 media plus Ethernet canonical format).
  Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will be assigned. 
  Tunnel-Type. Select Virtual LANs (VLAN).
  You can find more information here:
  Configure a Network Policy for VLANs
  VLAN Attributes Used in Network Policy
  802.1X Authentication Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
  HTH.

• Restricting access via MAC address?

  Hello,
  Could someone please tell me how to restrict access to my wireless network (and internet sharing) by only allowing computers with a certain MAC address to join?
  I'm kinda stumbling around here
  Thanks,
  Jonny

  Sorry if I wasn't being specific enough...
  I have my eMac set up as a Software Base Station, which streams internet & Airtunes to an Airport Express. I have it set up this way, because my ADSL modem is connected via USB (so it's a bit of a workaround). As a result, I have Internet Sharing switched on, so I can access it from all my other macs.
  What I want to do is to stop other people from accessing my eMac's internet connection. If I set up a WEP password for Internet Sharing, I lose my Airtunes facility... so I was thinking another way might be to restrict access to the connection via MAC address. I only want my other airport card-equipped macs to access the internet connection and network generally.
  Surely it's possible?

• Using NAR to restrict access by MAC address

  Hello All,
  We have a solution where home users connect via ATM onto our network. Currenty their radius requests are passed onto Cisco ACS 3.3 and they are authenticated using RSA SecurID Fobs to an ACE server.
  I am trying to look at an alternative to using a SecurID fob and restrict the end user's access based on MAC address.
  I found this on the online documentation for ACS 3.3
  "About Non-IP-based NAR Filters
  A non-IP-based NAR filter (that is, a DNIS/CLI-based NAR filter) is a list of permitted or denied "calling"/"point of access" locations that you can use in restricting a AAA client. However, by entering an IP address in place of the CLI you can use the non-IP-based filter even when the AAA client does not use a Cisco IOS release that supports CLI or DNIS. In another exception to entering a CLI, you can enter a MAC address to permit or deny; for example, when you are using a Cisco Aironet AAA client. The format of what you specify in the CLI box—CLI, IP address, or MAC address—must match the format of what you receive from your AAA client. You can determine this format from your RADIUS Accounting Log."
  If I specify a clients MAC in any of the non IP NAR options (CLI, Port, DNIS)access is refused. I am using radius IETF and the only time I can see the MAC in the radius accounting logs is when I turn on the option to log cisco-av-pair. Nothing is being logged under CLI or DNIS, so I don't think I can restrict access based on MAC using a non IP NAR. Has anyone implemented what is referred to in the documentation above? Is it just applicable to cisco Aironet? Any ideas?
  Thanks.

  A NAR is a definition, which you make in Cisco Secure ACS, of additional conditions that must be met before a user can access the network. Cisco Secure ACS applies these conditions using information from attributes sent by your AAA clients. So it is not device specific.

• Restrict printing via MAC address

  I am currently using Mac OS 10.2 server and now we are considering upgrading to 10.4 because of better printer servers. We don't current use the server software for printer serves. We would like to have the ability to restrict printing to the printer via the computers MAC address. Is this possible via server 10.4?
  Thanks in advance
  Jason
  PowerG4 dual G4 - 400mhz   Mac OS X (10.2.x)   OS 10.2 server

  You could use the firewall to block certain IP addresses from printing.
  You can ensure certain computers receive consistent IP adddresses via DHCP using Server Admin > DHCP > Settings > Static Maps which depends on MAC addresses.
  hth,
  b.

• Format of WCS template file for mac-address filtering

  I am looking for the format of the template file used for WCS Mac-address filtering.
  I need to know how the fields are delimited within the file.

  Sample csv file :
  #MAC Address,Profile Name,Interface,Description
  22:22:22:22:22:22,profile8,management,cisco
  00:00:00:00:00:01,myprofile,int1,First filter
  00:00:00:00:00:02,,management,Second filter
  00:00:00:00:00:03,,,Third filter
  Note: "MAC Address" and "Description" are mandatory fields

• IOS 5 OTA: Device query for mac address

  Device query for attribute "MAC_ADDRESS_EN0" doesn't return any value on iOS 5. It use to work fine on iOS 4. Does anyone know the new attribute to query mac address on iOS 5. Appreciate any help.
  Thanks,
  Juzer.

  That attribute was deprecated in iOS 4, and has been removed in iOS 5. There is no replacement for it.

• How to configure dot1x to check for mac address then to send to radius

  hi,
  is there any way on a switch to get a port to check a list of mac addresses then if the pc is not in that list send the request to a radius server. the radius we use is steelbelt radius.
  cheers
  tony

  Hi,
  It looks you are looking for the mac authentication bypass (MAB) feature.
  Please take a look at the feature in detail:
  http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1205506.
  You can authenticate devices based on MAC address.
  Here is a step guide to configure it on older IOS releases:
  http://preview.cisco.com/en/US/docs/solutions/Enterprise/Campus/IBD/MACAuthB.html.
  12.2(50) and later IOS:
  http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1196845.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

• [Ask] How to restriction number of mac address per client on WLC !!!!!!

  Dear all,
  First, thank for read my topic, now i have a small trouble with WLC.
  My company have 12 APs & Cisco 5508 WLC, all things work well.
  We already setup a WLAN for user can connect to internet (using local net users account), but they using their mobile phones, notebook to share internet connection with others peoples, we don't want that, we want only that user can use internet, and their mobile phone, notebook can't become a portable wifi hotspot (we see them on Rogue APs)
  I known that we can use MAC address filter, but we must use local net users for some reason,
  Do you have any idea, any solution for this case ?
  Thank you.

  The solution cannot be fixed with Wireless.
  This solution can only be fixed using AD.
  I remembered in a place where I used to work that they can control the aspect of how your computer behaves using AD to the extent you cannot use the USB ports.  You'll need special permission and fill out a 12-page document to get this lifted.
  With AD, you can prevent a laptop for using both Wireless and wired simultaneously.
  You also have to consider using a proxy server so you'll be able to track down users.

• Check for mac address (physical address) of ethernet card

  Hi!
  We want to deliver LabVIEW code which will run only on licensed machines (node locked licensing).
  We have a PXI chassis with one or more PCs connected to the same LAN as the chassis. We have locked our first license to the chassis by checking for the serial number of the DAQ card installed in the chassis. Now, we want to run a second license on ONLY ONE of the standard desktops connected to the chassis. We've removed the DAQ card check since there are no DAQ cards on the desktops. But a no check software can be freely copied and run on more than one desktops. How do we prevent this?
  One idea is to check for the MAC address of the ethernet card at runtime. Question is how do I retrieve the MAC address at run time in my LV exe?
  Is there another way to achieve a node locked licensing? Some people use HDD serial number .... ??
  We are using LV 7.1 on Win2K.
  Thanks.
  - Gurdas
  Gurdas Singh
  PhD. Candidate | Civil Engineering | NCSU.edu

  Gurdas wrote:
  Is there another way to achieve a node locked licensing? Some people use HDD serial number .... ?? Gurdas
  About this questions, below I include a response I wrote to a similar subject. I hope it is useful.
  Enrique wrote:
  If you still want to implement the copyright scheme yourself, this are some of my thoughts about that subject. I hope this can start a good topic of conversation:
  If you want your program to run on a specific machine, you need to know about that machine so your software is somehow "made" exclusively for that machine. If you can make the software so it utilize resources very specific to the target computer, then you are ok. It is difficult to come up with the right analogy. Let say it is like somebody make a uniform specifically for you and take into consideration all your exact measurements like size, weight, etc. (we are assuming a little here, like those measurement won't change). It can be argued that there maybe somebody in the universe that is like you, but the chances can be sufficiently low so it is acceptable to you to take the risk. All this is usually very difficult and expensive.
  A more common approach is to know information that can uniquely identify the computer and then create the application so it first ask the computer to identify itself. Upon correct identification, the application provide its services. An analogy is that I am the one who provide the services and I have your name and driver license number on file. If you request service, I ask you for those identifiers and once I verify your identity you are good to go.
  A more secure approach will be that we share a secret like a password. I, as the application, ask you (the computer) to authenticate, that is, to provide identification and the password. An alternative is to have something that, although is not secret, it cannot be forged (at least, within certain probability). Let say I ask you for your signature. The bundle human presence + signature cannot be forged.
  A way to implement the latest one may go like the following: each copy of your software has a unique identifier (SI) and a unique key (K) that enable the application. You ask the target computer for its unique identifiers (CUI). You generate a random string (R) for the secret and then create a function f such that: K = f(SI, CUI, R). To get the right key K that enable your software, all the other parameters must be the right ones.
  If this is done right, the security of the application will depend on the secret (R), so you better generate and manage R right. Also, you want to make sure the function f() cannot be bypassed (i.e., direct insertion of K is not possible).
  There are a lot of additional issues to deal here, but I'll stop for now. I need to run some errands....
  Regards;
  Enrique
  www.vartortech.com

• Using my hotspot for first time and when configuring devise it asked for MAC address

  I dont have a MAC. I want to use this on a  Mini laptop. I am adding my first device. I live in the country and dont think any one elses computer will hook to this hotspot. . I am leaving on vacation tomorrow and need for this too work.

  Personally, I use the MAC filter. Go into network on your mini and you can find that devices MAC address.
  MAC address has nothing to do with Apple.

• Restriction settings for mac

  I just finished iOS 5 and Lion updates for all devices.  I am using the restrictions setting in iOS so that no one can turn off location services (I realize there are other ways around, but this seems like a good idea to help track a lost/stolen device using find my iphone).  I am trying to find a similar security setting in Lion for a Mac . . . . it might be right in front of me, but can't seem to find it.  Anyone know if this is possible?
  Thanks!

  Also, please click on the or buttons over posts as appropriate...

• Mac Address restriction

  Hi there,
  I have a express acting as a access point to my network for wireless devices, just wondering if anyone know if it is possible to restrict access via MAC address within the express station? This is a last attempt by me for some security as I can't get encryption to work with all devices. Any help will be good, thanks
  Thanks
  Connor

  You can, however in my opinion it only adds a superficial level of security which can be easily broken.
  Airport Admin Utility -> Configure > Access Control Tab.
  It use to be useful, but MAC address access control is really no longer a real option when it comes to wireless security.
  The problem arises as the MAC addresses are sent unencrypted and therefore can be picked up and read by a determined hacker.
  Not only that with many ethernet devices you can now very easily change the MAC address to a different one, so making it very easy to spoof the Mac address and fool a wireless base station into believing that you are an authenticated client.
  What security are you trying to configure?
  WEP or WPA?
  iFelix

• Maximum MAC address table size

  Hello guys.
  what is the maximum MAC address table for the Cisco 3750X series switches?

  Scalability Numbers
  MAC, routing, security, and QoS scalability numbers depend on the  type template used in the switch. Routing template is not supported in  the LAN Base feature set. Table 10 shows Cisco Catalyst 3750-X and  3560-X Series Switch scalability numbers.
  Cisco Catalyst 3750-X and 3560-X Series Switch Scalability Numbers    
  Access
  Default
  Routing
  VLAN
  Unicast MAC addresses
  4K
  6K
  3K
  12K
  IGMP groups and multicast routes
  1K
  1K
  1K
  1K
  Unicast routes
  6K
  8K
  11K
  0
  Directly connected hosts
  4K
  6K
  3K
  0
  Indirect routes
  2K
  2K
  8K
  0
  Policy-based routing ACEs
  0.5K
  0
  0.5K
  0
  QoS classification ACEs
  0.5K
  0.5K
  0.5K
  0.5K
  Security ACEs
  2K
  1K
  1K
  1K
  VLANs
  1K
  1K
  1K
  1K

• What are the optimal values for mac and arp timeout values

  Hi Guys.
  What are the best values for "mac address-table aging-time" and "arp timeout" by following scenarios?:
  - single sg300-10 as layer3-switch with a maximum of 10 local (direct connected) hosts
  - and a 3750x-stack with 100 local hosts + hsrp with a other stack of the same sort
  or for asa 5520 as internet gateway for 500 clients?
  I use at the moment a mac aging-time from 300 seconds and a arp timeout from 3600 seconds.
  Is this o.k.?
  Thanks.

  Marvel.
  As far as enhancing the CLI, it will of course be enhanced when new firmware releases provide new features. As far as making it more IOS-like, best to my knowledge, no.  The only other supported CLI on the SB switches are on the SX500 series and SX200E series which the CLI are all consistent. If you bought a SX500 series the commands are nearly identical minus the different feature sets.
  -Tom
  Please mark answered for helpful posts