Solved

Allow internet access only by MAC Address in ISA Server 2006

Posted on 2009-05-08
23
2,901 Views
Last Modified: 2012-05-06
Hi all,
In my office LAN I need to allow only the company's computers to access the Internet. We have ISA Server 2006 installed, regardless of not having managble switch which I could easily block ports to specific MAC Address (that's another war). The problem is that some workers bring their own PC's unplug the network cable from the company computer and plug on their own accessing the internet.
Is there any possibility of create some rule in ISA that only allows Internet access from specific MAC Addresses?

Thank in advance.
0
Comment
Question by:nasps
  • 10
  • 6
  • 3
  • +2
23 Comments
 
LVL 16

Expert Comment

by:Malmensa
ID: 24333963
I have implemented this by setting reservations in DHCP, then allowing those IPs only to have access.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 25 total points
ID: 24337272
you cannot do it by MAC address as MAC addresses operate at layer 2 and ISA is a layer 3 firewall. As above you can dso this by ensuring that only a specific MAC address gets a particular IP address by reservervations and then block/allow by using computer groups/objects.

keith
ISA MVP
0
 

Author Comment

by:nasps
ID: 24423602
I've been "breaking some stone" inside ISA and saw a figure "Authenticated Users". Can't this option get to the AD and only allow users that are on the AD?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24424282
Unfortunately no - the reason being that the authenticated user uses the User AD entry for authentication, not the Machine account so by plugging in their personal laptop brought in from home, they will still get a valid IP address and by putting in the proxy settings can put in valid domain credentials when prompted.

Keith
0
 

Expert Comment

by:AymanDasa
ID: 24467503
Mr keith_alabaster is right
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24487208
I prefer user public beatings myself.

Seriously though, If there is no company policy that says they are not allowed to do that, then you are powerless to do anything about it because the management won't back you up.  However if there is a company policy forbiding them from bringing in their own machine and plugging them into the company wall jack after unplugging the conpany machine, then this is an issue for management to handle "human-to-human".   PCs, Servers, and Firewalls are lousey babsitters.  You'd be amazed at how that will stop happening if word gets around that someone got fired for doing that.

As far as technology to do this,...I think it is the 802.1x thing that works from switches designed to do that,...assuming I don't have my 802 numbers mixed up.  The Switch would validate the machine before it is allowed to get an IP#.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24487410
yes, it is 802.1x for vlan tagging and could be used if the switches on site support that protocol and no other connection medium was present.

0
 

Author Comment

by:nasps
ID: 24491645
pwindell

Thanks for your answer. Of course the "public beating" probably would be the best policy but, as you also mentioned, not always the "bosses" are you you because if this things would know the first head to be banged is the technician because he "didn't prevent this things from happening".
Despite that and from what i've been reading from your posts this purpose of mine only gets done by hardware.

0
 
LVL 29

Expert Comment

by:pwindell
ID: 24492894
There is one other solution, although I think it is far-fetched and extreme.  It would be to eliminate a Cabled Network and go completely wireless.  Then no one could get into it without the WPA Key (or whatever wireless security method you chose).
0
 

Author Comment

by:nasps
ID: 24582828
I've been changing some equipment and just installed a new server for ISA Server and imported firewall policies from the former ISA. Having though a problem: I send in attach a printscreen of the firewall policies and tried to allow the internet connection to Authenticated User but when on Rule nr.12 I change from All Users to Authenticated Users everibody's Internet goes "down". I've tried even to create a AD Users set of members (basically all users in the domain) and still Internet's down. My main goal is to be able to get clients username on the reports. What am I doing wrong?
Firewall-Policy.jpg
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 29

Expert Comment

by:pwindell
ID: 24583045
Look at teh Monitoring Log.  What Rule does it say is stopping it when it fails?
Was the ISA machine a Domain Member before the ISA Software was installed?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24583063
Also what are the DNS settings in the TCP/IP specs of the Nics onthe ISA box?
0
 

Author Comment

by:nasps
ID: 24583520
Hi pwindell,
when I change the users the error rule (red ones) is blank...
The isa machine was "inserted" in the domain after ISA installation. Afterwards it was configured
I have two nics on the new server - one has the connection to the internet router therefore has the public IP's and our DNS IPS the other NIC has a static IP (internal) . The DHCP settings have the router IP pointed to the ISA server (10.68.x.x) so that everybody gets the default gateway from isa server
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24584377
You have several things wrong.

1. The ISA Machine was not a Domain Member before the ISA software was installed.  The means that the proper System Policies were not configured by the setup program.  The ISA setup program will detect if the machine is a Domain Member during the installation process and will create the correct system policies.   It is possible to work around that,...but in my opinion,.. I never trust that.  To fix this you need to
     A. "backup" the ISA Config to an XML file
     B.  Uninstall the ISA package
     C.  Move the machine to a Workgroup,..then rejoin it to the Domain  (you could skip this one, but I
          would do it as a "safety move")
     D. Reinstall the ISA Software and then import the saved config back into the ISA

2.   The Nics on the ISA need to be configured like this,...and it is best to be this way before the ISA software is install.

     A.  The Internal nic should have no Default Gateway,...but it is the only one with any DNS Settings
           and those settings need to point only to the AD DNS machine and never anything else.

     B.  The External nic should have *no* DNS Settings,...but it is the only one that should have a Default
          Gateway.

Configuring ISA Server Interface Settings.
http://www.isaserver.org/tutorials/configuring_isa_server_interface_settings.html

DNS
Your AD/DNS needs to use an external DNS Server as its Forwarder. Typically that is the ISP's DNS.  The first Access Rule at the top of the list in ISA should be the DNS Rule that allows the AD/DNS (and only the AD/DNS) to make outbound DNS Queries, and it needs to be anonymous ("all users").  It is optional to further restrict it to only the particular Forwarder.   The reason to restrict the source to only the AD/DNS is to eliminate machines on your LAN that may be unknowningly using Rogue DNS Servers whci can be the result of rogue users, viruses, spyway, hyjackings, and a number of other things
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24584601
BTE -  Much of the time when a Deny Rule occurs it is doing so due to System Policy (or lack there of).  Hence there is no Rule "name" in the Log.  This fits with my statement #1 above.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24584633
My Cisco Spell Checker is failing me....I meant

BTW (not BTE) - Much of the time when a "denied" log entry occurs that shows a blank Rule Name,.....yadda,..yadda,...yadda,...fits with my statement #1 above.
0
 

Author Comment

by:nasps
ID: 24586148
Will try it out next Friday (Wednesday and Thursday are official hollydays in Portugal). Will let you know the results.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 100 total points
ID: 24591175
Since the original questrion was "Allow internet access only by MAC Address in ISA Server 2006".

Since that is not even remotely possible with ISA, and any solution remotely related to that is not going to be an ISA Issue...the thread was over as soon as it began,...if we are going to follow the rules that strictly.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24592272
I don't know how to post this in any other way but in the thread, so feel free to move it if you need to.
I'm not seeking a lecture, I have been where you are myself, I know how it works, I've been involved with this stuff for 18 years since the days of FidoNet BBSs...what I am seeking is what you want to do about it since, as I said, ISA does not do what the person asked so the practical end of the thread was a long way back.  All I am trying to do is help the guy. You probably should end the thread and remove any non-relevant comments, I'm fine with that.  Ammending the Title might be more confusing for people so it might be best for it to start fresh in a new thread.  When these threads get real long it is too difficult to follow,...heck I even start to lose track of what we are talking about after a while.  Since the goal is a searchable database, it is best if the threads stay somewhat short and consise.
0
 

Author Comment

by:nasps
ID: 24600614
guys,guys...my bad...don't wan't to get anyone in "trouble". Experts Exchange has already helped me a lot and I intend to continue. I will close this thread and open a new one...Since it was the "same" subject, or related, because I can't get my goal if I realise that the core matter (IS Server) is wronglly configured. Even so...that's fine.
pwindell: I will try out those hints you've gave me for the ISA config but I will open a thread for completing this issue.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24602272
Sounds good, Nasps
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now