Results 1 to 5 of 5

Thread: Storing MAC addresses in AD

  1. #1
    Join Date
    Jul 2009
    Posts
    3

    Storing MAC addresses in AD

    Hi,

    I run a set of AD managed servers (both unix and Windows) and keep most of my users in the normal schema. My users (on the whole) use a wide array of laptops/desktops to connect to these servers in a multi-team office and many users have more than one laptop or use VMs within their laptop and so have more than one mac-address associated with them.

    To ensure that security requirements are met, I currently manage a list of mac-addresses that are allowed to connect to this network (for a Cisco VMPS server). At present, this is purely a flat, annotated file but I'd like to move this information into AD if possible.


    I had hoped there would be a way to add custom attributes to a user but cannot yet find one.

    Right now I can see two possible approaches (both should ignore disabled users):

    1. write a custom script for our VMPS server to query AD directly

    2. write a sync script to query all objects within AD and regenerate the flat file on a periodic basis.

    Without adding custom attributes, all I can see is to make use of the notes field parse multiple mac-addresses out of this section.

    Is this the best approach?

    cheers,

  2. #2
    Richard Mueller [MVP] Guest

    Re: Storing MAC addresses in AD

    "boris52" <boris52.3vzi3b@DoNotSpam.com> wrote in message
    news:boris52.3vzi3b@DoNotSpam.com...
    >
    > Hi,
    >
    > I run a set of AD managed servers (both unix and Windows) and keep most
    > of my users in the normal schema. My users (on the whole) use a wide
    > array of laptops/desktops to connect to these servers in a multi-team
    > office and many users have more than one laptop or use VMs within their
    > laptop and so have more than one mac-address associated with them.
    >
    > To ensure that security requirements are met, I currently manage a list
    > of mac-addresses that are allowed to connect to this network (for a
    > Cisco VMPS server). At present, this is purely a flat, annotated file
    > but I'd like to move this information into AD if possible.
    >
    >
    > I had hoped there would be a way to add custom attributes to a user but
    > cannot yet find one.
    >
    > Right now I can see two possible approaches (both should ignore
    > disabled users):
    >
    > 1. write a custom script for our VMPS server to query AD directly
    >
    > 2. write a sync script to query all objects within AD and regenerate
    > the flat file on a periodic basis.
    >
    > Without adding custom attributes, all I can see is to make use of the
    > notes field parse multiple mac-addresses out of this section.
    >
    > Is this the best approach?
    >
    > cheers,
    >
    >
    > --
    > boris52
    > ------------------------------------------------------------------------
    > boris52's Profile: http://forums.techarena.in/members/118701.htm
    > View this thread: Storing MAC addresses in AD
    >
    > http://forums.techarena.in
    >


    Do you currently, or do you plan to, do something with the MAC addresses
    other than keep track of them in a list? Would the userWorkstation attribute
    help? userWorkstations, a single-valued attribute, is a comma delimited list
    of the NetBIOS names of the workstations the user is allowed to logon to. AD
    actually enforces this. If there are any names in the list, the user can
    only logon to those workstations. I don't see how you could enforce your
    list of MAC addresses, other than to detect new addresses, perhaps in a
    logon script.

    If you keep track of MAC addresses in AD, you can save them in a comma
    delimited list. The "info" attribute corresponds to the "Notes" field on the
    "Telephones" tab of ADUC. Would it make more sense to save the MAC address
    in an attribute of the computer object?

    --
    Richard Mueller
    MVP Directory Services
    --

  3. #3
    Joe Dunn Guest

    RE: Storing MAC addresses in AD


    Managing a list of allowed MAC addresses is a lot of administrative overhead
    to add what is only a thin line of security. MAC filtering is not a
    particularly secure method of allowing and disallowing access to a network.
    MACs can be easily impersonated. Have you considered 802.1x authentication
    on your switches instead.

    Best Regards
    Joe Dunn
    MCSE, MCTS, CCNA


    "boris52" wrote:

    >
    > Hi,
    >
    > I run a set of AD managed servers (both unix and Windows) and keep most
    > of my users in the normal schema. My users (on the whole) use a wide
    > array of laptops/desktops to connect to these servers in a multi-team
    > office and many users have more than one laptop or use VMs within their
    > laptop and so have more than one mac-address associated with them.
    >
    > To ensure that security requirements are met, I currently manage a list
    > of mac-addresses that are allowed to connect to this network (for a
    > Cisco VMPS server). At present, this is purely a flat, annotated file
    > but I'd like to move this information into AD if possible.
    >
    >
    > I had hoped there would be a way to add custom attributes to a user but
    > cannot yet find one.
    >
    > Right now I can see two possible approaches (both should ignore
    > disabled users):
    >
    > 1. write a custom script for our VMPS server to query AD directly
    >
    > 2. write a sync script to query all objects within AD and regenerate
    > the flat file on a periodic basis.
    >
    > Without adding custom attributes, all I can see is to make use of the
    > notes field parse multiple mac-addresses out of this section.
    >
    > Is this the best approach?
    >
    > cheers,
    >
    >
    > --
    > boris52
    > ------------------------------------------------------------------------
    > boris52's Profile: http://forums.techarena.in/members/118701.htm
    > View this thread: Storing MAC addresses in AD
    >
    > http://forums.techarena.in
    >
    >


  4. #4
    Join Date
    Jul 2009
    Posts
    3

    Re: Storing MAC addresses in AD

    Quote Originally Posted by Richard Mueller [MVP] View Post
    "boris52"
    > ...
    > Right now I can see two possible approaches (both should ignore
    > disabled users):
    >
    > 1. write a custom script for our VMPS server to query AD directly
    >
    > 2. write a sync script to query all objects within AD and regenerate
    > the flat file on a periodic basis.
    >
    > Without adding custom attributes, all I can see is to make use of the
    > notes field parse multiple mac-addresses out of this section.
    >
    > Is this the best approach?
    >
    > cheers,
    >
    >
    > --
    > boris52
    > ------------------------------------------------------------------------
    > boris52's Profile: http://forums.techarena.in/members/118701.htm
    > View this thread: Storing MAC addresses in AD
    >
    > http://forums.techarena.in
    >[/color]

    Do you currently, or do you plan to, do something with the MAC addresses
    other than keep track of them in a list? Would the userWorkstation attribute
    help? userWorkstations, a single-valued attribute, is a comma delimited list
    of the NetBIOS names of the workstations the user is allowed to logon to. AD
    actually enforces this. If there are any names in the list, the user can
    only logon to those workstations. I don't see how you could enforce your
    list of MAC addresses, other than to detect new addresses, perhaps in a
    logon script.

    If you keep track of MAC addresses in AD, you can save them in a comma
    delimited list. The "info" attribute corresponds to the "Notes" field on the
    "Telephones" tab of ADUC. Would it make more sense to save the MAC address
    in an attribute of the computer object?

    --
    Richard Mueller
    MVP Directory Services

    --
    I have a set of users who are using arbitrary desktops/laptops that I don't control running a mixture of MacOS, Linux and Windows. My interest in this kit is to ensure that only specific hardware can use the network ports to access the servers, while by default anyone else cannot. Given the complexity I don't ever expect to add these into the AD.

    I think I want to use the 'userWorkstations' for this either, since I may want to use this functionality to restrict access to servers on a per user basis.

    Since I need to support multiple mac-addresses it does sound like I will need to use the notes field. I had thought of extending the schema to add this parameter in somehow, but even if I did that, the new attribute(s) would not be controllable from the 'user properties' panel.

    Have I missed something?

    cheers

  5. #5
    Join Date
    Jul 2009
    Posts
    3

    Re: Storing MAC addresses in AD

    Hi,

    I'm aware of the limitations of mac-filtering and the abilities to spoof past this. However, the thin line of security is sufficient for our needs since the majority of people we wish to exclude from using this network are the non-technical ones. Basically, we need to stop people just plugging in and using it.

    802.1x is a sledgehammer to crack a nut in this instance and while it can provide a bullet proof solution in all(?) circumstances, the administrative overhead in both the backend and on a wide variety of frontend clients would significantly outweight the added security.

    cheers


    Quote Originally Posted by Joe Dunn View Post
    Managing a list of allowed MAC addresses is a lot of administrative overhead
    to add what is only a thin line of security. MAC filtering is not a
    particularly secure method of allowing and disallowing access to a network.
    MACs can be easily impersonated. Have you considered 802.1x authentication
    on your switches instead.

    >[/color]

Similar Threads

  1. Storing of Application On SD Card In HTC
    By Plokstar in forum Portable Devices
    Replies: 4
    Last Post: 20-01-2011, 10:20 PM
  2. Storing database data into Map
    By Miles Runner in forum Software Development
    Replies: 5
    Last Post: 20-02-2010, 12:17 AM
  3. Storing photos on dvd
    By mohandas in forum Windows Software
    Replies: 3
    Last Post: 06-08-2009, 12:53 PM
  4. Storing images in SQL database using Asp.net
    By Booth in forum Software Development
    Replies: 2
    Last Post: 17-01-2009, 05:25 PM
  5. Storing Tables In Xml file.
    By Miss Kelly in forum Software Development
    Replies: 2
    Last Post: 01-01-2009, 09:58 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •