Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  DHCP Mac Filtering SSG-20

    Posted 04-29-2010 07:32

    http://kb.juniper.net/index?page=content&id=KB9546&actp=search&searchid=1272551122918

     

    I found the article above that supposedly enables you to use a policy to filter using a mac address. I have tested it by creating a dhcp server on trust and reserving an IP to a mac address. I then created a policy as it said allowing only that reserved IP to talk to untrust.

     

    But when I statically assigned the same IP address to another machine, it was also able to talk to untrust. But to be honest, in the policy when you specify the source which is the IP address I reserved, there seems to be no option to filter using the mac address.



  • 2.  RE: DHCP Mac Filtering SSG-20

    Posted 04-30-2010 17:49

    Your assumption is correct.  The policies are written to the IP and the tech note is just giving you a work around to fix a particular IP with a mac address.  The policy is still all about the IP not the mac.



  • 3.  RE: DHCP Mac Filtering SSG-20

    Posted 05-01-2010 01:04

    I have been having a little play around in transparent mode which allows you to set static macs and you can also use sticky mac, but my question is, do any of these features allow you to restrict a mac address to a specific port (mac security).



  • 4.  RE: DHCP Mac Filtering SSG-20

    Posted 05-01-2010 01:08

    Basically, our SSG is in a place where members of the public might be able to get at it and I want to try and stop someone from being able to just plug their laptop into the ssg and get access to our network. I know you can restrict using IP in the policy, but it would be easy for someone to use a sniffer to sniff the IP addresses.



  • 5.  RE: DHCP Mac Filtering SSG-20
    Best Answer

    Posted 05-01-2010 04:48

    You are correct that mac locking is not in the feature set.

     

    If the systems that you have on your network can support it I think RADIUS would be your best option for this scenario.  Check volume 9 of the concepts & examples guide.

     

    I use this for wireless security by computer via internal certificate authority.  We distribute the certificates and authority to domain computers and check them on request for wireless access.  But RADIUS can also be applied to physical ports too.  You do need to deploy a central RADIUS server to handle the authentication challenges.  Windows has this as an add-in role option and I've been using that as an additional role on an existing server.

     

    The SSG can also be a infranet enforcer for the UAC product line too.  But that involved deploying the UAC controller and developing a rule set from there.  This is helpful if you have lots of locations or rules to manage.  But under the hood this is also just using RADIUS and EAP as the means for the control.