Deny and Allow access using MAC Address

Discussion in 'General Hardware' started by dreamworks, Jan 19, 2003.

  1. dreamworks

    dreamworks --== babyface ==--

    Messages:
    355
    :happy:

    Need some help and advise if possible. I have a network which comprise of 20 workstations and 1 Server. The 20 workstations are divided to 10 PCs running on Windows 98 SE and 10 Apple Macintosh running on OS 9.x. Server was installed with Windows 2K Server edition.

    All PCs are hooked onto a switch and the Win2K acts as an internet gateway with a proxy service installed. The problem here is that under company rules and regulations, some of the PCs and Macs are not allowed to access the Internet at all. Thus I have set on the server to deny access using IP address of these workstations that are not allowed to use the Internet. Windows 98 SE is fairly simple and has no problem from the users. However the problem comes from the Mac users. They are able to change their designated IP address and thus bypassing the rule set on the server and would still be able to surf the Internet without much problem.

    I have figured the best way to disable them is by using a software that could allow and deny access to the server using the criteria of MAC address rather than IP address. However, I have yet to come across such softwares.

    Would be greatful .. very greatful if anyone could give me some idea on where to get such a program or any other advise to stopping these MAC machines from accessing the Internet.

    For additional information, I have locked the TCP/IP configuration on these MAC machines and set password for it but the users are still able to open it or break it without much hassle. I cannot upgrade the OS 9.x to OS X that provides much better security as these MAC machines are not under the company's fixed asset but rather loan units from our associates. ;)

    Thank you ... :happy:
     
  2. Zedric

    Zedric NTFS Guru Folding Team

    Messages:
    4,006
    Location:
    Sweden
    Welcome to the boards!
    How is this? A password is a password and it shouldn't be possible to get past it. Maybe a too simple password? Or a is it a flaw in MacOS 9.x?
     
  3. dreamworks

    dreamworks --== babyface ==--

    Messages:
    355
    I made sure the password is alphanumeric. I even had it changed after I knew that these MAC users are able to change their TCP/IP configuration and assign their own IP address to bypass the security settings on the Win2k Server. However, the problem remains the same and its becoming a laughing matter. :happy:

    It could be a flaw in Mac OS 9.x, as I do know that security on OS 9.x is not really tight. Is there anyone who knows what other criteria I can use to deny and allow access? ;)
     
  4. RobAnt

    RobAnt Guest

    Install a second NIC in your server.

    Install a second hub/switch. Connect all the MACs & the server to this.

    Set a completely different range of IP numbers for the MACs. Deny this range access to the Internet.

    The server can then be configured to act as a bridge between the two networks (if the MACs and Windows PCs need to talk to each other).

    Quite how you do this would depend on your network operating system & it's DHCP server.

    Of course, if a MAC and a PC are close to one another, there is a way round it, but the PC would become unuseable and keeping shtum about what you've done should fox 'em.

    An altogether better/cheaper way is to ask your Boss to make it a sackable offence for anyone to interfere with the network configuration of a PC or MAC. And enforce it - contrary to popular belief, no one is indispensable.
     
  5. dreamworks

    dreamworks --== babyface ==--

    Messages:
    355
    Thanks .. I'd understand what your suggestion is like .. but unfortunately the setup of the network currently spans from 1 server to becoming 2 servers. Both are Win2K machines, 1 being the original Internet gateway providing proxy services while the second being the Mail server provicing mail services.

    The office policy remains that there shall not be Internet connection for these machines, thus restricting them from accessing the Internet but however, office e-mails are allowed to accessed.

    Do you think the setup could still work? Indeed I would love to do that but corporation don't usually do that I guess .. firing people :blink:
     
  6. RobAnt

    RobAnt Guest

    Yes that should still work. Don't see why not.

    I'm not a Win2k guy, and I don't know whether your DHCP server is file server or router based - but there is no reason why you shouldn't be able to configure the network accordingly, it's a matter of finding out the specifics based on your current network hardware and configuration.

    Oh yes they do! It is (or should) be written into company policy documents. It's a matter of security, inappropriate use of company equipment, and is generally considered a very serious matter indeed. That doesn't absolve you of your responsibility to make your network secure, however - and I think you would benefit by doing some network management training.

    Of course, I am, at the moment available :D
     
  7. dreamworks

    dreamworks --== babyface ==--

    Messages:
    355
    Thanks for the info pal !! ;)
     
  8. dreamworks

    dreamworks --== babyface ==--

    Messages:
    355
    So erm .. still anyone knows of any software that could allow and deny access using MAC address as the criteria instead of IP address please?

    Any help would be most appreciated !! :(
     
  9. RobAnt

    RobAnt Guest

    No - I don't think it can be done that way, so I think you'll be waiting a long time for the answer that you want!

    But I'd love to hear of such a product if it does exist!
     
  10. oDin

    oDin xp m0nk3y

    Messages:
    368
    Location:
    vancouver, bc
    i am pretty sure that you can filter out certain MAC addresses with win2k. you might need to install RRAS to do it though.

    another way to do it would be to create a second subnet for the Macs. create a pool with just enough addresses for the macs. set the refresh interval to like 1 or 2 hours or even half an hour. when they complain about slow network performance tell them you will fix it if they stop messing with their machines.

    did they have to sign a network use agreement when they were hired??? there is usually a clause in it about this sort of thing.