Using NAR to restrict access by MAC address

Hello All,
We have a solution where home users connect via ATM onto our network. Currenty their radius requests are passed onto Cisco ACS 3.3 and they are authenticated using RSA SecurID Fobs to an ACE server.
I am trying to look at an alternative to using a SecurID fob and restrict the end user's access based on MAC address.
I found this on the online documentation for ACS 3.3
"About Non-IP-based NAR Filters
A non-IP-based NAR filter (that is, a DNIS/CLI-based NAR filter) is a list of permitted or denied "calling"/"point of access" locations that you can use in restricting a AAA client. However, by entering an IP address in place of the CLI you can use the non-IP-based filter even when the AAA client does not use a Cisco IOS release that supports CLI or DNIS. In another exception to entering a CLI, you can enter a MAC address to permit or deny; for example, when you are using a Cisco Aironet AAA client. The format of what you specify in the CLI box—CLI, IP address, or MAC address—must match the format of what you receive from your AAA client. You can determine this format from your RADIUS Accounting Log."
If I specify a clients MAC in any of the non IP NAR options (CLI, Port, DNIS)access is refused. I am using radius IETF and the only time I can see the MAC in the radius accounting logs is when I turn on the option to log cisco-av-pair. Nothing is being logged under CLI or DNIS, so I don't think I can restrict access based on MAC using a non IP NAR. Has anyone implemented what is referred to in the documentation above? Is it just applicable to cisco Aironet? Any ideas?
Thanks.

A NAR is a definition, which you make in Cisco Secure ACS, of additional conditions that must be met before a user can access the network. Cisco Secure ACS applies these conditions using information from attributes sent by your AAA clients. So it is not device specific.

Similar Messages

  • Restricting access via MAC address?

    Hello,
    Could someone please tell me how to restrict access to my wireless network (and internet sharing) by only allowing computers with a certain MAC address to join?
    I'm kinda stumbling around here
    Thanks,
    Jonny

    Sorry if I wasn't being specific enough...
    I have my eMac set up as a Software Base Station, which streams internet & Airtunes to an Airport Express. I have it set up this way, because my ADSL modem is connected via USB (so it's a bit of a workaround). As a result, I have Internet Sharing switched on, so I can access it from all my other macs.
    What I want to do is to stop other people from accessing my eMac's internet connection. If I set up a WEP password for Internet Sharing, I lose my Airtunes facility... so I was thinking another way might be to restrict access to the connection via MAC address. I only want my other airport card-equipped macs to access the internet connection and network generally.
    Surely it's possible?

  • My home envirornment is an older Mini Mac running 10.5.8 with a PowerPC G4 processor ( I know, it's old). I also use an iPhone 3S, accessing my mac mail account.  Do I have to upgrade my computer to a faster processor to use iCloud?

    My home envirornment is an older Mini Mac running 10.5.8 with a PowerPC G4 processor ( I know, it's old). I also use an iPhone 3S, accessing my mac mail account.  Do I have to upgrade my computer to a faster processor to use iCloud?

    Hello,
    You can't upgrade to any faster, & especially not to an Intel CPU needed to run Lion/10.7 for full iCloud usage.
    You can have limited use of iCloud the way it is, you can view all of iCloud in a Browser, You can use Find my Phone I hear, & you can use IMAP Mail for syncing, but no other syncing.
    iCloud Mail setup...
    IMAP (Incoming Mail Server) information:
    Server name: imap.mail.me.com
    SSL Required: Yes
    Port: 993
    Username: [email protected] (use your @me.com address from your iCloud account)
    Password: Your iCloud password
    SMTP (outgoing mail server) information:
    Server name: smtp.mail.me.com
    SSL Required: Yes
    Port: 587
    SMTP Authentication Required: Yes
    Username: [email protected] (use your @me.com address from your iCloud account)
    Password: Your iCloud password

  • Block internet access by MAC address all the time

    I want to be able to block MAC addresses from accessing the internet but allow them to use the network.
    I can do this in other router interfaces but the BT Home Hub 2.0 has a VERY un user friendly interface and will not allow advanced internet access or other settings to be modifyed to suit my needs.
    I am at an intermediate level at understanding network equipment and an expert at residential networking.

    Not sure about the home hub 2, but on the home hub 1 you can use a "user defined" firewall setting to block access to a computer by specifying its IP address.
    Source LAN
    Interface 192.168.1.xxx  (address you wish to block)
    Destination WAN
    Service ANY
    Action Deny
    You can tell the home hub to always use this IP address for the device you are trying to block.
    There is probably a similar setting on the home hub 2.
    By default I block all Internet access for devices, then I have rules to allow HTTP, HTTPS, POP3 and a couple of others.
    I also have UpnP disabled.
    This prevents any computer on the network accessing any non-standard ports.
    There are some useful help pages here, for BT Broadband customers only, on my personal website.
    BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

  • Restrict printing via MAC address

    I am currently using Mac OS 10.2 server and now we are considering upgrading to 10.4 because of better printer servers. We don't current use the server software for printer serves. We would like to have the ability to restrict printing to the printer via the computers MAC address. Is this possible via server 10.4?
    Thanks in advance
    Jason
    PowerG4 dual G4 - 400mhz   Mac OS X (10.2.x)   OS 10.2 server

    You could use the firewall to block certain IP addresses from printing.
    You can ensure certain computers receive consistent IP adddresses via DHCP using Server Admin > DHCP > Settings > Static Maps which depends on MAC addresses.
    hth,
    b.

  • Is it possible to use the ipad to access a mac mini running mountain lion and back to my mac?

    Is it possible to access a mac running mountain lion using Back to my Mac?

    To my knowledge the iPod can only be used as a secondary monitor since you have to boot up the Mac and turn on the secondary display. You would still need a KB and pointing device for the Mac
    However, you can log into the Mini from an iOS device like an iPad using app like LogMeIn, GoTo MyPC or TeamViewer on both the Mac and the iPad. You use the touch screen on the iPad for all control of the Mac.
    As you said,that would be tedious for a lot of typing but you could use a BT keyboard for the iPad.

  • Transfer address book from M-access to Mac address book

    Hi,
    I have a relatively new MacBook pro 17", and i am new to the whole operating system.
    My old laptop running on Windows XP has all my houses address's for friends and everyone on it stored in Microsoft Access, and i wish to transfer this to the mac addresss book.
    can anyone help me with this?
    I would also like to say that when i have tried opening up the address's in M-Access i have exported them as a .txt file yet Mac Address book does not recognise this.
    I have already also managed to transfer email address's from Microsoft outlook and this worked fine.
    If you know the answer would you mind emailing me to
    [email protected]
    MacBook pro 17" Mac OS X (10.4.8) 2.33ghz 2gb X1600-256vram

    no, from Microsoft access i can not export a text file,
    for some reason it doesn't have this option
    thanks

  • Restrict vlan for mac address

    Hello sirs, I bought a sf300 48 and made 4 vlans.
    How can I restrict the mac address of device can be connect each vlan ? I just want allow the macs for vlan, dont need join the pc to a vlan.
    Thanks so much!

    Sorry for my bad eng, but I will try explain to you.
    I have 5 pcs on one vlan, this vlan is a security vlan for develop. I just want this computer can connect on this vlan. In the switch sf300 the 5 ports of sw is marked for this vlan. I want keep safe this ports for just the 5 mac address can connect on this.
    Understand?
    This is the translate of googole :
    I have a vlan that would have only 5 computers can connect them. Vlan This was made ​​from a 5-point networks directly connected to the switch. I would like to prevent just these 5 computers can connect the network cable that vlan through the mac.
    thanks!!!!

  • [Ask] How to restriction number of mac address per client on WLC !!!!!!

    Dear all,
    First, thank for read my topic, now i have a small trouble with WLC.
    My company have 12 APs & Cisco 5508 WLC, all things work well.
    We already setup a WLAN for user can connect to internet (using local net users account), but they using their mobile phones, notebook to share internet connection with others peoples, we don't want that, we want only that user can use internet, and their mobile phone, notebook can't become a portable wifi hotspot (we see them on Rogue APs)
    I known that we can use MAC address filter, but we must use local net users for some reason,
    Do you have any idea, any solution for this case ?
    Thank you.

    The solution cannot be fixed with Wireless.
    This solution can only be fixed using AD.
    I remembered in a place where I used to work that they can control the aspect of how your computer behaves using AD to the extent you cannot use the USB ports.  You'll need special permission and fill out a 12-page document to get this lifted.
    With AD, you can prevent a laptop for using both Wireless and wired simultaneously.
    You also have to consider using a proxy server so you'll be able to track down users.

  • Using DHCP and assigning to hardware MAC-address

    Hi,
    Is it possible for the DHCP functionality of the Airport Extreme Base to manually assign an IP-address to the MAC-address of a computer on the network?
    This is a feature that I am missing a lot.
    Thanks.

    mbp, Welcome to the discussion area!
    Is it possible for the DHCP functionality of the Airport Extreme Base to manually assign an IP-address to the MAC-address of a computer on the network?
    No, this is not a feature available from an AirPort Extreme base station (AEBS).

  • Access Control MAC address by Radius doesn't work

    Hi,
    How I can try if my Airport TimeCapsule can ping to my windows 2008 server with Radius?
    I snnifed the lan on Radius server and I only saw the broadcast messages of the airport.
    I have wpa personal with mac addres filter by radius, but doesn't works and I can access with any pc without check de mac.
    Anyone can help me please?
    Regards!!

    I am not so familiar with setup of wireless with Radius.. The Apple routers are not enterprise class but very much domestic.. so the enterprise level login seems to be problematic.
    Give us a couple of screenshots of the setup and that might help determine the issue.
    There is some info with help on setting it up here.
    Multiple airport Extremes and RADIUS
    Using windows server will of course make life that much harder.

  • Mac Address restriction

    Hi there,
    I have a express acting as a access point to my network for wireless devices, just wondering if anyone know if it is possible to restrict access via MAC address within the express station? This is a last attempt by me for some security as I can't get encryption to work with all devices. Any help will be good, thanks
    Thanks
    Connor

    You can, however in my opinion it only adds a superficial level of security which can be easily broken.
    Airport Admin Utility -> Configure > Access Control Tab.
    It use to be useful, but MAC address access control is really no longer a real option when it comes to wireless security.
    The problem arises as the MAC addresses are sent unencrypted and therefore can be picked up and read by a determined hacker.
    Not only that with many ethernet devices you can now very easily change the MAC address to a different one, so making it very easy to spoof the Mac address and fool a wireless base station into believing that you are an authenticated client.
    What security are you trying to configure?
    WEP or WPA?
    iFelix

  • Which MAC Address for Wireless MAC Filter?

    I am setting up a new wireless router for my home network. I want to enable the Network to only accept a small number of devices.
    Which MAC Address should I use, the computer MAC Address or the Airport MAC Address?
    Thanks.
    -Joe

    Welcome to Apple Support Communities.
    The AirPort MAC address is the one to use when limiting wireless access by MAC address.
    Do include the computer MAC address to be certain you can still connect to the router via wired Ethernet cable in case the wireless network becomes unavailable.
    I fully configure my router with a wired Ethernet connection before turning on any wireless access.
    That way, the router is never visible and unsecured until you've completed your configuration.
    And when complete, be sure to save the router config file. My D-Link writes the config to my local hard drive.
    It's a pain to re-enter all those MAC addresses from scratch if you have to reset the router to an unconfigured state. At best, you can simple reload the saved config file.
    At worst, having a screen print of the permitted MAC addresses and device names makes re-entering the info manually much easier than running around the house or office trying to locate the MAC addresses of all the phones, pods, tablets, game systems, and printers!
    From a security standpoint, filtering wireless access by MAC address doesn't absolutely guarantee that a determined hacker with unlimited time and a 'sniffer' can't ever get in, but a casual thief simply looking for free WiFi will keep looking for an easier target.

  • Access Connection - Prefer MAC address problem

    Hey
    My specifications:
    Windows Vista
    Access Connection v5.31
    After updating access connection I'm not able to prefer MAC addresses for my profiles anymore.
    Edit profile> Wireless settings> Advanced configuration (settings)>
    Preferred access point MAC address.-
    This box is grayed out and you're not able to write in the box anymore.
    Am I doing something wrong or is this feature just disabled for this version?
    Also I remember having seen an old version being able to prefer 5 MAC addresses for one profile
    Thank you!
    / jerian

    Welcome to the Apple discussions.
    Is the mac address you're using the one you see when you click on the blue apple, about this mac, more info, network, and scroll down to the mac address? Is it possible there's a mixup between the letter O and zero when entering the mac address?

  • MAC address access control default?

    I'm still using old graphite ABS, and all of them
    are using MAC address access control.
    Just by accident I connected a PB G4 with an
    internal extreme Airport card.
    The MAC address of this AirPort card wasn't in the
    access list of the ABS.
    It looks like ABS does only limit access through
    MAC addresses for 802.11b cards. I'll spend some time
    to double check this behaviour.
    Did anyone already see this default of access
    control?

    I'm pretty well aware of the limitations of any kind of
    MAC address control: in an hostile environment its a
    "straw house" or an "empty extinguisher".
    But in a collaborative and friendly environment I thought
    it may be a useful "frontier marker" between "friendly" and
    clearly "hostile" behaviors.
    This belief was foolish.

Maybe you are looking for

  • How to create downloadable pdf report as hyperlink within BSP application

    Hi, I'm developing a BSP application using MVC and htmlb extensions on a WAS 6.40. One of the requirements of my webapplication is: - the ability to generate a report in pdf format at runtime, using data retrieved from a backend SAP CRM 3.0 system an

  • Need help with table partitions

    Hi all, I'm new at partitions and tablespaces and I've been asked to create a partition for a table. First off, here's a sample table that I have. create table M_TRANS  (    TRAN_ID NUMBER,    MONTH_KEY INTEGER,    ACCOUNT_KEY INTEGER,    ACCOUNT_NUM

  • TS1436 how do you convert restricted songs/album tp plus so they can be burned or played on wireless speakers systems (sonos)?

    Severial songs in some of my itune libarary will not play on my Sonos speakers and I discovered that a playlist with resticted songs did not burn them to a cd. I followed the step in the apple help.  What I did was delete the restricted song and in t

  • Where is the NationalIn​strumentsD​AQmx.dll hidden

    goodDay, I have an older application for my USB6008 which has a Reference to NationalInstrument.DAQmx and an Imports NationalInstruments.DAQmx statement on top and it runs.Now I start off a new project after installing the latest driver software and

  • String "&nbsp" crap in 'Java' style code post

    <mx:Image xmlns:mx="http://www.adobe.com/2006/mxml" initialize="init()">      <mx:Script>           <![CDATA[                public function init():void {                     this.addEventListener(Event.COMPLETE, loaded);                private funct