Restrict by source MAC address?

Hi Ned,

 

Unfortunately, the ADC can't natively look at the mac address if the client is not on the same segment as the ADC. Ultimately we decided to go with an authentication scheme.

 

 

Another method might be to write up javascript that would solicite the mac-address and send it via HTTP header. The irule can then pick it up and compare it a whitelist. I think I have seen some examples on the web - mostly from Windows based browsers.

 

 

I hope this helps

 

Bhattman

 

 

 

 

 

That confirms what I suspected. I was wondering about putting that into the header much in the same way X-Forwarded-For does it, sounds like a possibility. Authentication is what we're doing now, and for this particular app it takes three separate nearly-consecutive logins to get in (involving hand-offs between departments when troubleshooting). It's ugly, and I would ultimately like a simpler experience for the user (which would also simplify support). I was brainstorming about IP/MAC restrictions, but that may not be the right way to go. Thanks for your help.

Hi Ned,

 

 

Getting the MAC address from a client depends on Javascript retrieving the address and inserting it into an HTTP header in requests. A client could easily modify this value to anything they want using simple browser addons. So from a security perspective this would be a bad idea to use for access control.

 

 

You could potentially use an iRule or for more functionality, APM, to perform the authentication against a remote auth database. If there are three applications which require auth, you could use an iRule or APM to reduce this to one login.

 

 

Aaron