We help IT Professionals succeed at work.

Mac Address filtering and internet use control, Do I need some kind of proxy server?

Medium Priority
Last Modified: 2013-11-13
One of our offices is due to have an IT overhaul and we are considering giving visitors a certain amount of access to be able to use the internet through our network and we also plan to have wireless access points in the building.

We would like to have a system where these visitors could connect to the network (probably wirelessly) but would be required to enter a password through a web based system or have their MAC address registered before they can use the internet.  We figure that trying to get them to set the WEP key for our network would be asking too much of them so would like to secure it another way.  We would like also to be able to register the MAC addresses of our company machines so that users of these machines can use the internet without having to enter a password every time.

Any advice as to what software or hardware can be used will be great.
Watch Question

We do something similar using 802.1x authentication.

All domain machines have a Microsoft domain machine certificate.
All the switches are configured for 802.1x authentication using Microsoft IAS
The switches put our machines in our VLAN and guest machines (no certificate) in a guest VLAN.

Much easier than registering a ton of MAC addresses.

more detail

You have to separate your wireless network which is open to visitors from your internal network anyway, so you'll need a proper firewall. Any firewall that has 3 or more network interfaces will be able to give your company network access, while forcing the wireless network through a proxy server (by disallowing outside access except for the proxy server).

If you place the proxy server in a DMZ (which I believe is best practice anyway) then your internal network can profit from it as well.

Maybe have a look at SmoothWall Firewall/Guardian? http://www.smoothwall.net


It is only for a reasonably small office of 12 - 15 full time network users. They are due to go over to a citrix solution now but we still want to give mobile users wireless access to the internet.

Using the firewall to force wireless through the proxy seems to be a reasonable idea but how do we stop random people in neighbouring offices from using our internet connection (and bandwidth which is needed for our citrix users) and still allow visitors to the company to use it.  They frequently have meetings and presentations at this office.  We don’t want to have to give them a wep key to use as most of them won’t be able to figure out where to insert it.

Can you get proxy server software can recognise our network devices and allow them access but then for unrecognised users display a password box before it will allow any pages through?  I don’t know how well I am explaining that.

Many thanks for your previous fast responses.
For example ISA Server allows users that are already logged on to a Windows domain to use the internet connection transparently (if the rules allow them to do so). Your visitors will not be logged on and will require authentication, so a username/password dialog is displayed.

You can hand them a default username that only allows proxy access and a password that changes every now and then, if required.

If you don't want to buy ISA server, then there are firewalls that can automatically force http(s) to be redirected to a proxy server (for example Sonicwall). Your internal office users then do not use the proxy server, the wireless users are forced through the proxy and must authenticate.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.