tags:

views:

114

answers:

4
+1  Q: 

IIS7 Restrict website access by MAC address?

Is it possible to restrict access to a website in IIS7 using MAC address rather than IP address?

We are wanting to restrict access to our website to only known PCs as mentioned here: link text. These PCs will be external to our network, but because some users could be remote, we would rather do this on MAC address rather than IP address.

II7, Windows Server 2008, asp.net

Thankyou in advance

Richard

A: 

That is a bad idea because MAC addresses can easily be spoofed. If you need authentication from multiple unknown locations you should use passwords or certificates.

And of course, as mentioned in another answer, over the Internet the MAC adress is not visible, it would only be possible inside your own network.

Fabian  2010-07-22 11:24:25
We would be using this in the 2 factor authentication, this is part one and then the user authentication is part 2.We only want 'Known' pcs to access the website, as we dont want this to be open to just anyone, or open to staff when they go home.
Richard  2010-07-22 11:28:07
Even if it were possible, the staff at the computer could easily find out the mac address and set their home computer to the same one. The mac address is something you (and too many others) know, not something you are or something you have. It is not suitable for 2-factor authentication.
Fabian  2010-07-22 11:31:48
@Fabian - what would you recommend instead?
Richard  2010-07-22 13:14:29
Use a token, or maybe a certificate (Altough I'm not sure if you can prevent users from exporting it and taking it with them).
Fabian  2010-07-22 13:28:35
A: 

It's not possible. You'd have to have some kind of application installed on the client machine such as an ActiveX control to get that information.

Perhaps you should consider having the website setup like an intranet and setup a VPN for the remote viewers. Look at Logmein's Hamachi. It's a super simple VPN setup and free to try.

used2could  2010-07-22 11:25:44
Installing an app on the client PC would not be a problem to be honest.
Richard  2010-07-22 11:42:23
due to some browser limitations i wouldn't suggest this route.
used2could  2010-07-22 16:27:43
+1  A: 

You can't restrict access by MAC address because MAC address is using only in local network to communicate devices and behind any router information about ARP table can't be recognited.

Svisstack  2010-07-22 11:26:02
A: 

The ISAPI extensions will not provide access to network layer information from the client end. This information has to be polled directly from the other end. Also MAC address is extremely unreliable as it can be spoofed more easily than an IP address can be.

Joel Etherton  2010-07-22 11:26:49

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication