Storing MAC addresses in AD

**boris52** · 27-07-2009

Hi,

I run a set of AD managed servers (both unix and Windows) and keep most of my users in the normal schema. My users (on the whole) use a wide array of laptops/desktops to connect to these servers in a multi-team office and many users have more than one laptop or use VMs within their laptop and so have more than one mac-address associated with them.

To ensure that security requirements are met, I currently manage a list of mac-addresses that are allowed to connect to this network (for a Cisco VMPS server). At present, this is purely a flat, annotated file but I'd like to move this information into AD if possible.

I had hoped there would be a way to add custom attributes to a user but cannot yet find one.

Right now I can see two possible approaches (both should ignore disabled users):

1. write a custom script for our VMPS server to query AD directly

2. write a sync script to query all objects within AD and regenerate the flat file on a periodic basis.

Without adding custom attributes, all I can see is to make use of the notes field parse multiple mac-addresses out of this section.

Is this the best approach?

cheers,

Richard Mueller [MVP] · 27-07-2009

"boris52" <boris52.3vzi3b@DoNotSpam.com> wrote in message
news:boris52.3vzi3b@DoNotSpam.com...
>
> Hi,
>
> I run a set of AD managed servers (both unix and Windows) and keep most
> of my users in the normal schema. My users (on the whole) use a wide
> array of laptops/desktops to connect to these servers in a multi-team
> office and many users have more than one laptop or use VMs within their
> laptop and so have more than one mac-address associated with them.
>
> To ensure that security requirements are met, I currently manage a list
> of mac-addresses that are allowed to connect to this network (for a
> Cisco VMPS server). At present, this is purely a flat, annotated file
> but I'd like to move this information into AD if possible.
>
>
> I had hoped there would be a way to add custom attributes to a user but
> cannot yet find one.
>
> Right now I can see two possible approaches (both should ignore
> disabled users):
>
> 1. write a custom script for our VMPS server to query AD directly
>
> 2. write a sync script to query all objects within AD and regenerate
> the flat file on a periodic basis.
>
> Without adding custom attributes, all I can see is to make use of the
> notes field parse multiple mac-addresses out of this section.
>
> Is this the best approach?
>
> cheers,
>
>
> --
> boris52
> ------------------------------------------------------------------------
> boris52's Profile: http://forums.techarena.in/members/118701.htm
> View this thread: http://forums.techarena.in/active-directory/1221183.htm
>
> http://forums.techarena.in
>

Do you currently, or do you plan to, do something with the MAC addresses
other than keep track of them in a list? Would the userWorkstation attribute
help? userWorkstations, a single-valued attribute, is a comma delimited list
of the NetBIOS names of the workstations the user is allowed to logon to. AD
actually enforces this. If there are any names in the list, the user can
only logon to those workstations. I don't see how you could enforce your
list of MAC addresses, other than to detect new addresses, perhaps in a
logon script.

If you keep track of MAC addresses in AD, you can save them in a comma
delimited list. The "info" attribute corresponds to the "Notes" field on the
"Telephones" tab of ADUC. Would it make more sense to save the MAC address
in an attribute of the computer object?

--
Richard Mueller
MVP Directory Services
--

Joe Dunn · 27-07-2009

Managing a list of allowed MAC addresses is a lot of administrative overhead
to add what is only a thin line of security. MAC filtering is not a
particularly secure method of allowing and disallowing access to a network.
MACs can be easily impersonated. Have you considered 802.1x authentication
on your switches instead.

Best Regards
Joe Dunn
MCSE, MCTS, CCNA

"boris52" wrote:

>
> Hi,
>
> I run a set of AD managed servers (both unix and Windows) and keep most
> of my users in the normal schema. My users (on the whole) use a wide
> array of laptops/desktops to connect to these servers in a multi-team
> office and many users have more than one laptop or use VMs within their
> laptop and so have more than one mac-address associated with them.
>
> To ensure that security requirements are met, I currently manage a list
> of mac-addresses that are allowed to connect to this network (for a
> Cisco VMPS server). At present, this is purely a flat, annotated file
> but I'd like to move this information into AD if possible.
>
>
> I had hoped there would be a way to add custom attributes to a user but
> cannot yet find one.
>
> Right now I can see two possible approaches (both should ignore
> disabled users):
>
> 1. write a custom script for our VMPS server to query AD directly
>
> 2. write a sync script to query all objects within AD and regenerate
> the flat file on a periodic basis.
>
> Without adding custom attributes, all I can see is to make use of the
> notes field parse multiple mac-addresses out of this section.
>
> Is this the best approach?
>
> cheers,
>
>
> --
> boris52
> ------------------------------------------------------------------------
> boris52's Profile: http://forums.techarena.in/members/118701.htm
> View this thread: http://forums.techarena.in/active-directory/1221183.htm
>
> http://forums.techarena.in
>
>

**boris52** · 27-07-2009

Originally Posted by Richard Mueller [MVP]

"boris52"
> ...
> Right now I can see two possible approaches (both should ignore
> disabled users):
>
> 1. write a custom script for our VMPS server to query AD directly
>
> 2. write a sync script to query all objects within AD and regenerate
> the flat file on a periodic basis.
>
> Without adding custom attributes, all I can see is to make use of the
> notes field parse multiple mac-addresses out of this section.
>
> Is this the best approach?
>
> cheers,
>
>
> --
> boris52
> ------------------------------------------------------------------------
> boris52's Profile: http://forums.techarena.in/members/118701.htm
> View this thread: http://forums.techarena.in/active-directory/1221183.htm
>
> http://forums.techarena.in
>[/color]

Do you currently, or do you plan to, do something with the MAC addresses
other than keep track of them in a list? Would the userWorkstation attribute
help? userWorkstations, a single-valued attribute, is a comma delimited list
of the NetBIOS names of the workstations the user is allowed to logon to. AD
actually enforces this. If there are any names in the list, the user can
only logon to those workstations. I don't see how you could enforce your
list of MAC addresses, other than to detect new addresses, perhaps in a
logon script.

If you keep track of MAC addresses in AD, you can save them in a comma
delimited list. The "info" attribute corresponds to the "Notes" field on the
"Telephones" tab of ADUC. Would it make more sense to save the MAC address
in an attribute of the computer object?

--
Richard Mueller
MVP Directory Services

--

I have a set of users who are using arbitrary desktops/laptops that I don't control running a mixture of MacOS, Linux and Windows. My interest in this kit is to ensure that only specific hardware can use the network ports to access the servers, while by default anyone else cannot. Given the complexity I don't ever expect to add these into the AD.

I think I want to use the 'userWorkstations' for this either, since I may want to use this functionality to restrict access to servers on a per user basis.

Since I need to support multiple mac-addresses it does sound like I will need to use the notes field. I had thought of extending the schema to add this parameter in somehow, but even if I did that, the new attribute(s) would not be controllable from the 'user properties' panel.

Have I missed something?

cheers

**boris52** · 27-07-2009

Hi,

I'm aware of the limitations of mac-filtering and the abilities to spoof past this. However, the thin line of security is sufficient for our needs since the majority of people we wish to exclude from using this network are the non-technical ones. Basically, we need to stop people just plugging in and using it.

802.1x is a sledgehammer to crack a nut in this instance and while it can provide a bullet proof solution in all(?) circumstances, the administrative overhead in both the backend and on a wide variety of frontend clients would significantly outweight the added security.

cheers

Originally Posted by Joe Dunn

Managing a list of allowed MAC addresses is a lot of administrative overhead
to add what is only a thin line of security. MAC filtering is not a
particularly secure method of allowing and disallowing access to a network.
MACs can be easily impersonated. Have you considered 802.1x authentication
on your switches instead.

>[/color]