create MAC address database and disallow nonauth'd MACS with cisco switches

Discussion in 'Cisco' started by Mike Cohen, Jul 7, 2004.

  1. Mike Cohen

    Mike Cohen Guest

    Hello,

    we are trying to implement a system where any non authorizes MAC
    address that plugs into our
    network either wired or wireless is denied access until the MAC is
    properly entered into the database.

    We have seen this at some universities, where students computers
    cannot navigate the LAN until they register their mac address either
    electronically, or by calling IT.

    We have cisco swtiches 2950, 3550, 4006, aironet 1200's and cisco ACS
    3.2

    Can someone point me in the right directiion?

    thanks.

    M.C.
    Mike Cohen, Jul 7, 2004
    #1
    1. Advertising

  2. Mike Cohen

    Peter Payne Guest

    Port security can be implemented on Cisco 3550s and 2950s. The details
    are easily found on Cisco's website.. try this URL:
    http://www.cisco.com/en/US/products/hw/switches/
    ps628/
    products_configuration_guide_chapter09186a00800d84c2.html
    (all one address, remove whitespace of course)

    Configuring should be straightforward:
    conf t
    int <n>
    switchport port-security
    switchport port-security maximum 1
    etc etc

    RTFM.. with the search function on the Cisco website you
    really should be doing some basic research first..

    Mike Cohen <> wrote:
    > Hello,
    >
    > we are trying to implement a system where any non authorizes MAC
    > address that plugs into our
    > network either wired or wireless is denied access until the MAC is
    > properly entered into the database.
    >
    > We have seen this at some universities, where students computers
    > cannot navigate the LAN until they register their mac address either
    > electronically, or by calling IT.
    >
    > We have cisco swtiches 2950, 3550, 4006, aironet 1200's and cisco ACS
    > 3.2
    >
    > Can someone point me in the right directiion?
    >
    > thanks.
    >
    > M.C.
    Peter Payne, Jul 7, 2004
    #2
    1. Advertising

  3. Mike Cohen

    Peter Payne Guest

    Or even better (and this may be more what you were looking for..) MAC
    access lists on the switches (maybe on egress to the campus router).

    This would be simpler than port security as you could still plug in
    whatever you wanted to the network, just that you wouldn't be able
    to reach the default gateway (router) as the MAC ACL (access control
    list) would prevent packets from leaving the layer 2 domain into
    the layer 3 domain..

    http://www.cisco.com/en/US/products/hw/switches/ps628/
    products_command_reference_book09186a00800f6cea.html
    (remove whitespace again)

    e.g. suppose you want to permit PCs with MAC addresses 0xABCDEFABCDEF and
    0x1234ABCD1234 then you might do the following:
    Switch(config-ext-macl)# permit host abcd.efab.cdef any
    Switch(config-ext-mac1)# permit host 1234.abcd.1234 any
    and then apply that list to the ingress of a trunk, or egress to a
    gateway router.

    Just food for thought.

    Peter Payne <> wrote:
    > Port security can be implemented on Cisco 3550s and 2950s. The details
    > are easily found on Cisco's website.. try this URL:
    > http://www.cisco.com/en/US/products/hw/switches/
    > ps628/
    > products_configuration_guide_chapter09186a00800d84c2.html
    > (all one address, remove whitespace of course)
    >
    > Configuring should be straightforward:
    > conf t
    > int <n>
    > switchport port-security
    > switchport port-security maximum 1
    > etc etc
    >
    > RTFM.. with the search function on the Cisco website you
    > really should be doing some basic research first..
    >
    > Mike Cohen <> wrote:
    >> Hello,
    >>
    >> we are trying to implement a system where any non authorizes MAC
    >> address that plugs into our
    >> network either wired or wireless is denied access until the MAC is
    >> properly entered into the database.
    >>
    >> We have seen this at some universities, where students computers
    >> cannot navigate the LAN until they register their mac address either
    >> electronically, or by calling IT.
    >>
    >> We have cisco swtiches 2950, 3550, 4006, aironet 1200's and cisco ACS
    >> 3.2
    >>
    >> Can someone point me in the right directiion?
    >>
    >> thanks.
    >>
    >> M.C.
    Peter Payne, Jul 7, 2004
    #3
  4. Mike Cohen

    Pat Donlon Guest

    (Mike Cohen) wrote in message news:<>...
    > Hello,
    >
    > we are trying to implement a system where any non authorizes MAC
    > address that plugs into our
    > network either wired or wireless is denied access until the MAC is
    > properly entered into the database.
    >
    > We have seen this at some universities, where students computers
    > cannot navigate the LAN until they register their mac address either
    > electronically, or by calling IT.
    >
    > We have cisco swtiches 2950, 3550, 4006, aironet 1200's and cisco ACS
    > 3.2
    >
    > Can someone point me in the right directiion?
    >
    > thanks.
    >
    > M.C.


    Cisco have the URT tool which dynamically allocates the VLAN based on
    the mac address. I works well enough as long as you're not using IP
    telephony.

    Cheers
    Pat
    Pat Donlon, Jul 7, 2004
    #4
  5. Mike Cohen

    James Guest

    Re: create MAC address database and disallow nonauth'd MACS withcisco switches

    Mike Cohen wrote:
    > Hello,
    >
    > we are trying to implement a system where any non authorizes MAC
    > address that plugs into our
    > network either wired or wireless is denied access until the MAC is
    > properly entered into the database.
    >
    > We have seen this at some universities, where students computers
    > cannot navigate the LAN until they register their mac address either
    > electronically, or by calling IT.
    >
    > We have cisco swtiches 2950, 3550, 4006, aironet 1200's and cisco ACS
    > 3.2
    >
    > Can someone point me in the right directiion?
    >
    > thanks.
    >
    > M.C.


    Hello Mike,

    Although this is a good idea and a place to start, do not put too much
    faith in this sort of folly for real security. It's quite easy to
    purchase devices running embedded linux, that have PROGRAMMABLE Mac
    addresses....

    Also, older sun unix systems allow one to set the MAC address, along
    with many other systems.

    MAC addressing does cover many devices, but, a saavy hacker will laugh
    at this approach if it is intended to thawart comprimises in security
    by serious interlopers...

    James
    James, Jul 9, 2004
    #5
  6. James wrote:
    > Mike Cohen wrote:


    > > we are trying to implement a system where any non authorizes MAC
    > > address that plugs into our
    > > network either wired or wireless is denied access until the MAC is
    > > properly entered into the database.
    > >
    > > We have seen this at some universities, where students computers
    > > cannot navigate the LAN until they register their mac address either
    > > electronically, or by calling IT.
    > >
    > > We have cisco swtiches 2950, 3550, 4006, aironet 1200's and cisco ACS
    > > 3.2


    > Although this is a good idea and a place to start, do not put too much
    > faith in this sort of folly for real security. It's quite easy to
    > purchase devices running embedded linux, that have PROGRAMMABLE Mac
    > addresses....
    >
    > Also, older sun unix systems allow one to set the MAC address, along
    > with many other systems.
    >
    > MAC addressing does cover many devices, but, a saavy hacker will laugh
    > at this approach if it is intended to thawart comprimises in security
    > by serious interlopers...


    You don't need to be a hacker - in Win2k/XP/NT the mac address the
    network adapter uses can be modified by a network adapter property or
    - if that is not available - a simple registry entry.

    --
    Joop van der Velden
    Joop van der Velden, Jul 9, 2004
    #6
  7. Mike Cohen

    Guest

    On Fri, 09 Jul 2004 20:44:13 +0200, Joop van der Velden
    <> wrote:

    >James wrote:
    >> Mike Cohen wrote:

    >
    >> > we are trying to implement a system where any non authorizes MAC
    >> > address that plugs into our
    >> > network either wired or wireless is denied access until the MAC is
    >> > properly entered into the database.
    >> >
    >> > We have seen this at some universities, where students computers
    >> > cannot navigate the LAN until they register their mac address either
    >> > electronically, or by calling IT.
    >> >
    >> > We have cisco swtiches 2950, 3550, 4006, aironet 1200's and cisco ACS
    >> > 3.2

    >
    >> Although this is a good idea and a place to start, do not put too much
    >> faith in this sort of folly for real security. It's quite easy to
    >> purchase devices running embedded linux, that have PROGRAMMABLE Mac
    >> addresses....
    >>
    >> Also, older sun unix systems allow one to set the MAC address, along
    >> with many other systems.
    >>
    >> MAC addressing does cover many devices, but, a saavy hacker will laugh
    >> at this approach if it is intended to thawart comprimises in security
    >> by serious interlopers...

    >
    >You don't need to be a hacker - in Win2k/XP/NT the mac address the
    >network adapter uses can be modified by a network adapter property or
    >- if that is not available - a simple registry entry.



    True, but if you need to change it to a valid address, there's a good
    chance you'll cause a conflict with the real user of that mac.
    , Jul 10, 2004
    #7
  8. Re: create MAC address database and disallow nonauth'd MACS withcisco switches

    James wrote:

    > Mike Cohen wrote:
    >
    >> Hello,
    >> we are trying to implement a system where any non authorizes MAC
    >> address that plugs into our
    >> network either wired or wireless is denied access until the MAC is
    >> properly entered into the database.
    >>
    >> We have seen this at some universities, where students computers
    >> cannot navigate the LAN until they register their mac address either
    >> electronically, or by calling IT.
    >>
    >> We have cisco swtiches 2950, 3550, 4006, aironet 1200's and cisco ACS
    >> 3.2
    >>
    >> Can someone point me in the right directiion?
    >>
    >> thanks.
    >>
    >> M.C.

    >
    >
    > Hello Mike,
    >
    > Although this is a good idea and a place to start, do not put too much
    > faith in this sort of folly for real security. It's quite easy to
    > purchase devices running embedded linux, that have PROGRAMMABLE Mac
    > addresses....
    >
    > Also, older sun unix systems allow one to set the MAC address, along
    > with many other systems.
    >
    > MAC addressing does cover many devices, but, a saavy hacker will laugh
    > at this approach if it is intended to thawart comprimises in security by
    > serious interlopers...
    >
    > James
    >
    >

    On Cisco switches you can enable MAC security, which is what you are
    trying to do. You can also so the same with wireless. Have you tried any
    commands yet?
    John Simonetti, Jul 10, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Franc Zabkar
    Replies:
    3
    Views:
    566
    Franc Zabkar
    Feb 28, 2005
  2. =?Utf-8?B?Vmlja3lT?=

    Disallow a wireless network

    =?Utf-8?B?Vmlja3lT?=, Sep 24, 2007, in forum: Wireless Networking
    Replies:
    4
    Views:
    379
    Jack \(MVP-Networking\).
    Sep 25, 2007
  3. Trendkill
    Replies:
    0
    Views:
    2,549
    Trendkill
    Mar 25, 2009
  4. DataBase DataBase DataBase DataBase

    , Sep 26, 2012, in forum: Computer Information
    Replies:
    0
    Views:
    950
  5. Database Database Database Database

    , Sep 27, 2012, in forum: Computer Information
    Replies:
    0
    Views:
    809
Loading...

Share This Page