Restricting Access by MAC Address or Protocol

Novell Cool Solutions: Tip

Digg This - Slashdot This

Posted: 14 Sep 2004

A Novell Forum reader recently asked: "Is it possible to lock down a username to one or more specific MAC addresses? When I looked at doing it today, IP seemed to offer just the IP address, and IPX wouldn't accept the MAC address in any format."

The basic answer to this question is no, because IP does not preserve the source MAC address over a router, only the source IP address. However, you can restrict a user to a specific workstation or range. Another of our readers contributed some helpful tips on this subject ...

You will have to set restrictions based upon the protocols the workstation is using. If the PC is using IP and IPX, then you will need to set the restriction for both. If you set restriction for only IP for example. Then if workstation for some reason connects via IPX then you would get access denied since that user is only allowed to login from a specific IP address and protocol.

Case 1: Login from only a specific workstation

In this example, the workstation's IPX network number is 9010; the MAC address is 00B0A0B0C08D; the IP number is To restrict a user to logging in only from this workstation, you would set the address restrictions as follows:

IPX 9010: 00B0A0B0C08D

Result: The user ID with this restriction can ONLY log into a workstation with the above MAC address or with the above IP number. If user tries to login from a different workstation they will get message that login is denied due to station restrictions. In this example, you shouldn't be using DHCP - the workstation will need a static address.

Restricting a user to just one workstation could be helpful in giving you an extra layer of security.

Case 2: Login from one of several specified computers

This case works like Case 1, but you would enter the information for each workstation to which the user is allowed to log on.

Case 3: Login to only a certain subnet

In this example the user's IPX network number is 9010; the MAC address is: 00B0A0B0C08D; and the IP of the subnet is 10.44.x.x. To restrict login to only this subnet, you sould set address restrictions to:


In this example, anywhere you need a wildcard character you can use F's for IPX addresses and zeros for IP addresses. Case 3 is good to use when you want to lock down elementary generics and you don't want high school students to access elementary files. Often, high school kids will get into computers and delete the elementary students' work.

You can also implement time restrictions to further restrict usage of these user IDs.

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© Micro Focus