Is there any way to limit access to a network by MAC address?

What I want to do, is to only allow computers with a valid MAC address so people cant bring in there own laptops.

Nikumba

You can do security like that on some switches. The manuals might be the best place to start.

Our switches cant do it i already checked that, google isnt much help since it brings up lots about apples as well grrr

Nikumba

you havent specified what the network is

afaik it is possible, google has some info:

http://www.google.co.uk/search?q=limit+access+to+a+network+by+MAC+address+-wireless&hl=en&lr=&safe=off&start=0&sa=N

http://www.google.co.uk/search?hl=en&safe=off&q=active+directory+MAC+address+filtering+-wireless&spell=1

It is possible, my old college used to do it. However it is rather simple to spoof a MAC Address.

Yes it is easy to spoof a MAC address.
There was a participant at i22 who had network connectivity problems. Once we pinned down the problem, I input a MAC address. Connection worked perfectly. :)

It may be simple but the people I want to stop are not that computer savvy, plus the group policy prevents any system level changes be it software or hardware

Nikumba

But not on a machine you don't own...

Imagine a user bringing a random laptop, gets a MAC address from a 'cosher' machine, changes their own to the same and off they go!

Cisco have a system called NAC which (from what I understand) uses a combination of 802.1x, some clever VLANning, a software agent on the PC and a few other bits of stuff.

Thing is, like all Cisco things, it ain't cheap!

I understand what your saying Dave, however apart from me and the other in the IT department they would not know how to go about it.

Since the domain group policy prevents a user from looking at any of the settings or running anything so that can not even find out what they MAC address is

Nikumba

Well you should be ok then. A half-decent managed switch should be able to block by MAC on its ports. Quite how is another matter!

So how easy is it to spoof a mac address?

I check the mac address on my network, if its valid I let it through if not I don't.

I'm guessing it would be difficult to find a valid mac address to my system right? Or is it a piece of piss?

Well you could look in ipconfig and see the current MAC addresso of an allowed PC, then just change the setting in the driver of the laptop or whatever you want to connect with.

Similar fun games are setting an identical MAC address and breaking the network.

Originally posted by KingDaveRa
Well you could look in ipconfig and see the current MAC addresso of an allowed PC, then just change the setting in the driver of the laptop or whatever you want to connect with.

Similar fun games are setting an identical MAC address and breaking the network.

Had Er00 and Swyft do this at CLUK 7. Oh the network loved that.

That was his fault :p: well, his Uni's

they run a network limiting MAC addresses, and his computer broke, so he was using mine, so he got them to change the address they had on file, but then his computer came back so he just spoofed mine as it was easier, but then we got to LAN and the network didn't really appreciate it :p:

What are you using to serve DHCP?

you can see where i'm going with this.

That only works to the point that you can stop hosts getting an IP via DHCP, but that's about all. There's nothing to stop people plugging in and using static IPs.