Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

MAC address Filter list in NAC

Hi Faisal, how are you? I have a question about this filter list in the NAC appliance. I want to do those recognized mac addresses by NAC appliance are the one only to be get in to the network. However if a workstation mac address is not in the filter list, it not be able to get in to the network. Is the NAC has capability of doing it? Please let me know. Thanks.

Richard

3 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: MAC address Filter list in NAC

I'm not Faisal, but....

Do you want to do additional authentication (like LDAP or such) or just based on the MAC address?  If you want to do just via the MAC, you can add them to the filter list and then either set them to "allow" to just allow the traffic, "role" to put them in a specific role, or "check" to apply posture assessment and then put them in the role.  If no other authentication servers are configured, users who weren't in the filter list would not be able to authenticate, and they would be stuck in the unauthenticated VLAN.

Thanks,

Lauren

Cisco Employee

Re: MAC address Filter list in NAC

Hi Richard,

As long as your client is Layer 2 adjacent to the CAS, and in In-band mode, then you can put in a MAC Address filter of type DENY for a mac address and that will cause the CAS to block traffic from that client.

If in an out-of-band mode, when the CAM gets a mac-notification trap for a mac address that it has a DENY filter for then it will move the port to the authentication vlan, so it should never move the client to the access vlan, and thus not allow traffic from it to the network.

On the other hand if you make the type ALLOW then it will do the opposite - allow traffic from them in in-band mode, and move their port to the trusted access vlan in out-of-band mode.


If your client is a Layer 3 hop away from the CAS it is possible but a little tricker since the CAS doesn't know the client's mac address right away. You can see all possibilities when going to create a new filter on the CAM - it has a table on the bottom with the different combinations.

Thanks,

Nate

Cisco Employee

Re: MAC address Filter list in NAC and Active X Control

Hi Richard,

Yes, everything should be the same on a Standard, Super, or Lite Manager. The only difference is the number of CASs that each can manage.

As for Active-X controls, as far as I know (at least with Windows XP) the users have to be local admins to run Active-X. I found the link below on Microsoft Technet that states that in Vista and later you can enable per-user non-admin Active-X capabilities:

http://msdn.microsoft.com/en-us/library/dd433049%28VS.85%29.aspx

On XP you might need to use the Java version of the Launcher by changing the settings on your User page.

Thanks,

Nate

5 REPLIES
New Member

Re: MAC address Filter list in NAC

I'm not Faisal, but....

Do you want to do additional authentication (like LDAP or such) or just based on the MAC address?  If you want to do just via the MAC, you can add them to the filter list and then either set them to "allow" to just allow the traffic, "role" to put them in a specific role, or "check" to apply posture assessment and then put them in the role.  If no other authentication servers are configured, users who weren't in the filter list would not be able to authenticate, and they would be stuck in the unauthenticated VLAN.

Thanks,

Lauren

Cisco Employee

Re: MAC address Filter list in NAC

Hi Richard,

As long as your client is Layer 2 adjacent to the CAS, and in In-band mode, then you can put in a MAC Address filter of type DENY for a mac address and that will cause the CAS to block traffic from that client.

If in an out-of-band mode, when the CAM gets a mac-notification trap for a mac address that it has a DENY filter for then it will move the port to the authentication vlan, so it should never move the client to the access vlan, and thus not allow traffic from it to the network.

On the other hand if you make the type ALLOW then it will do the opposite - allow traffic from them in in-band mode, and move their port to the trusted access vlan in out-of-band mode.


If your client is a Layer 3 hop away from the CAS it is possible but a little tricker since the CAS doesn't know the client's mac address right away. You can see all possibilities when going to create a new filter on the CAM - it has a table on the bottom with the different combinations.

Thanks,

Nate

New Member

Re: MAC address Filter list in NAC and Active X Control

Does it work in CAM Lite manager?

Another issue is the authentication always failed because of the active x control cannot install to domain user. It will onbly allow if I logon to admin rights. I allowed the security in the internet option to "run active x control and plugins" and the other stuff that belong to active x control. I did the allowing of of the active x control through the GPO. We are using windows 2003 and our client is windows XP. Please see attachment.

Please help. Thanks.

Richard

Cisco Employee

Re: MAC address Filter list in NAC and Active X Control

Hi Richard,

Yes, everything should be the same on a Standard, Super, or Lite Manager. The only difference is the number of CASs that each can manage.

As for Active-X controls, as far as I know (at least with Windows XP) the users have to be local admins to run Active-X. I found the link below on Microsoft Technet that states that in Vista and later you can enable per-user non-admin Active-X capabilities:

http://msdn.microsoft.com/en-us/library/dd433049%28VS.85%29.aspx

On XP you might need to use the Java version of the Launcher by changing the settings on your User page.

Thanks,

Nate

New Member

Re: MAC address Filter list in NAC and Active X Control

Thanks. It works in java applet. I just make a script to make it install to the client workstation though standard user account. Now the jave is  pushing to the client.

In regards with the mac address filtering in nac it works. The login is bypass but apply posture assesment and run the web agent. But is there a way to make the client not to get authenticated once there mac address is not in the filter list. Because what happen is when the client mac address is not in the filter list they can still go for authentication login. What I want they cannot able to do it unless they submitted there mac address. Is that possible or I need another device to filter the mac address.

Regards,

Richard Alicaway

1019
Views
0
Helpful
5
Replies
CreatePlease to create content