Unfortunately MAC blocking adds very little value in most environments.
By their nature, MAC addresses are only visible on a local subnet, and thus in order to do anything based on MAC address you would need all clients and the WSA itself to be physically located on the same network segment, which is going to be a very unusual setup in everything but the most small networks.
If you want to do any level of control by MAC address the best way is to use a DHCP server to do static MAC-IP address mappings, and then block the users on the IronPort using the IP address.
In some unusual cases like a client doesnt have a static configuration environment...theyve got dhcp network type of setup and yes its very odd on this kind of client .
This is i guess a rare case where a client doesnt have an AD...where WSA can be configured to do LDAP authentication or SSO..
The reason why i posted this topic is to address some clients if they do need MAC blocking.
I recommended to the client to have an AD for the LDAP authentication or create a pool for users with internet access and without internet so WSA can determine via its IP ranges from the dhcp pool that was created.
In some unusual cases like a client doesnt have a static configuration environment...theyve got dhcp network type of setup and yes its very odd on this kind of client
But are all of the clients on the same physical network (ie, same single IP range) as the WSA? If they aren't, and they go through a router to get to the IronPort, then the IronPort will only see the MAC address of the router - not the client.
The concept of MAC addresses (for any purpose) only makes sense for systems on the same network segment (ie, same "collision domain") - beyond that MAC addresses are not used.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...