Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
938
Views
0
Helpful
6
Replies

User + Mac Address Authorization Policy

christoulakis
Level 1
Level 1

‎09-11-2014 04:42 AM - edited ‎03-10-2019 10:00 PM

 

Hi,

 

Is there any option to bind a user who is authorized correctly from external identity with the mac-address of his workstation ?

The point is to give him access to the network only from a specific Workstation and denied him from any other workstation.

 

Thanks

Labels:
0 Helpful
6 Replies 6

nspasov
Cisco Employee
Cisco Employee

‎09-11-2014 02:49 PM

Couple of questions:

1. What type of Radius server are you using?

2. When do you want the "binding" to happen? During the authorization process or do you want to manually specify the mac address for every single user?

3. What type of authentication are you using? PEAP, EAP-TLS, etc?

 

Thank you for rating helpful posts!

0 Helpful

christoulakis
Level 1
Level 1
In response to nspasov

‎09-11-2014 11:14 PM

 

 1.  ISE 1.2 is having the role of Radius

 2. Really i don't know I guess the binding should be happen before the login as i don't want the user to login from any other PC.

     The key point on this scenario is a user to login on the corporate wired network only from his PC (User+MAC) and denied from any other PC.

If you want describe me both ways to understand which might fit in my case. 

 3. The PC has the native supplicant of Windows and authenticated through PEAP MS CHAPv2

 

Thanks in advance

 

0 Helpful

KiloBravo
Level 1
Level 1
In response to christoulakis

‎09-12-2014 09:31 AM

is the user authentication referencing  AD?

0 Helpful

christoulakis
Level 1
Level 1
In response to KiloBravo

‎09-13-2014 11:28 PM

Hello,

Yes!!! I will agree that mac is an easy way of spoofing. but i' m trying to find my options on this scenario.

The group will consist of 2 users that will be part of my domain. (probably on these specific users I should deploy MAR)??

But another one that will work with team will be external support and he will be coming with his laptop.

 

Thanks

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to christoulakis

‎09-15-2014 08:01 AM

MAR is also not ideal as it comes with tons of limitations :) In addition, it also uses the MAC address of the machine as the username which is sent in plain text :) So I would not recommend MAR. 

Why don't you try PEAP machine based authentication? This will allow only domain joined (corporate owned) computers to authenticate. If the computer is not part of the domain, authentication will fail. 

 

Thank you for rating helpful posts! 

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to christoulakis

‎09-12-2014 10:34 AM

I have never been a fan of trying to lock down things via mac addresses since mac addresses can be easily spoofed. 

If you are already using PEAP and if your machines are part of AD then an easier and more secure solution would be to use "Machine (PEAP)" based authentication. That way ISE will consult with AD and confirm that the authenticating machine is both joined to the domain and enabled.

 

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents