Video Screencast Help

Symantec Network Access Control block/allow access from mac address

Created: 21 Mar 2011 | 7 comments

I have been researching the functions of the Network Access Control policy, and I am trying to find if it has the ability to allow/block network access from the workstations mac address. Ideally I would like to be able to have the NAC check to make sure the workstation has AV, Firewall, and then check to make sure the workstations MAC address is registered in SEPM, if so then they are allowed access. Thanks in advance.

Comments 7 CommentsJump to latest comment

Thomas K's picture

You can use MAC Authentication Bypass with the Symantec LAN Enforcer appliance, but allowing/blocking based on the MAC address is not an option at this time.

Note: You could use the SEP firewall to allow or block by MAC address.

gsosure's picture

It looks like the option to create a FW policy to block/allow by MAC address we would have to enter every MAC address manually, is that correct?

Thomas K's picture

Yes, that is the only drawback. There is no way to add a range or import a list at this time.

SNACpack's picture

SNAC has the option for either user-based, or host-based authentication.    With host-based authentication, a Unique ID (UID) is created based on the specific hardware profile of that system.   NIC's are included in the calculation, but are one of many factors for creating the UID.  Each system will get it's own UID and they are not transferable or spoofable.  This would allow you to ensure that machines connecting to the network are approved company resources.

gsosure's picture

Just to make sure I understand. After we set our required 4 specific items that SNAC will check for and the workstation has passed it is given a UID from SNAC? The one thing I just realized is that SNAC is only looking for computers with SEP11 on them so if a laptop is brought in from outside and hooked into the network it could potentially still be able to get on to the network, is this thought correct?

SNACpack's picture

The UID is created when the agent is first installed and connects to the manager.   The agent should retain this UID as long as the agent remains installed.   The UID acts as a primary key in some of the DB tables to track that agent's activity.   When agents logs are uploaded to the manager (HI results, etc.), the UID is included for identification purposes.

Authentication occurs at two levels.   The agent will perform the Host Integrity checks and provide the results to the Enforcer.  At the same time, the Enforcer will verify the agent's UID with the manager to make sure it is a legit install.

Whether or not outside systems can connect to your network is dependent on how your network is configured and which type of enforcer you are using.

LAN Enforcers can direct the switch to open/close port or provide a Vlan assignment.    In this scenario, your network can be configured to block/quarantine systems that do not have an agent.  You can also have it configured to allow agent-less systems on your network anyway.   Most customers will have these systems directed to a quarantine vlan.

Gateway Enforcers can block traffic from any system without an agent, but will only block traffic passing through the enforcer.   If used to monitor a VPN gateway, then yes, an agent-less system will have blocked access (unless you provide them the option to use the On-demand agent).   If a Gateway Enforcer is used to only protect specific enterprise resources, then the agent-less system will still get on the rest of your network, but won't be able to access the resources protected behind the Gateway Enforcer.

The DHCP Enforcer assigns IP address based on your authentication criteria.   Agent-less systems can be assigned an IP on a quarantine network.  This is similar to the Lan Enforcer function, but with IP addresses instead of vlan assignments.

Lan Enforcers on a 802.1x configured network is the most effective way to block agent-less systems from connecting to your network.

New Comer 2011's picture

As my understanding,

In DHCP Enforcer Mode, there is some properties of enforcer group to allow certain MAC address.

         (the properties can be found in Admin > Servers > Edit Group Proporties > Advanced)

In Lan Enforcer Mode, we may need to change the switch configuration to allow certain port to allow the access.

i did not try the Gateway Enforcer mode.