Forum Discussion

Ned_66277's avatar
Icon for Nimbostratus rankNimbostratus
Dec 22, 2010

Restrict by source MAC address?

Is it possible to restrict by source MAC address? I have some iRules now that restrict by source IP, which are fine for our internal apps. We're discussing locking down an external site to certain people, but DHCP may be a problem if we restrict by IP.



The only thing close I've found thus far is [LINK::lasthop], but that appears to be the MAC of the last hop.

3 Replies

  • Hi Ned,


    Unfortunately, the ADC can't natively look at the mac address if the client is not on the same segment as the ADC. Ultimately we decided to go with an authentication scheme.



    Another method might be to write up javascript that would solicite the mac-address and send it via HTTP header. The irule can then pick it up and compare it a whitelist. I think I have seen some examples on the web - mostly from Windows based browsers.



    I hope this helps








  • That confirms what I suspected. I was wondering about putting that into the header much in the same way X-Forwarded-For does it, sounds like a possibility. Authentication is what we're doing now, and for this particular app it takes three separate nearly-consecutive logins to get in (involving hand-offs between departments when troubleshooting). It's ugly, and I would ultimately like a simpler experience for the user (which would also simplify support). I was brainstorming about IP/MAC restrictions, but that may not be the right way to go. Thanks for your help.
  • Hi Ned,



    Getting the MAC address from a client depends on Javascript retrieving the address and inserting it into an HTTP header in requests. A client could easily modify this value to anything they want using simple browser addons. So from a security perspective this would be a bad idea to use for access control.



    You could potentially use an iRule or for more functionality, APM, to perform the authentication against a remote auth database. If there are three applications which require auth, you could use an iRule or APM to reduce this to one login.