Before you configure web-based/MAC authentication, follow these guidelines.
- Plugspy 1 5 – Protect Your Mac From Unauthorised Accessing
- Plugspy 1 5 – Protect Your Mac From Unauthorised Accessibility
Maybe your neighbor has hacked your password and quietly use it. With WiFi Guard app you will be able to prevent unauthorized access to your network. This application scans your Wi-Fi and detects all connected devices. Most of the discovered devices have readable names, like “HP Printer” or “John's iPhone”. Thus, you can easily identify if any of them are foreign.
- Configure a local user name and password on the switch for both the operator (login) and manager (enable) access levels. HP recommends that you use a local user name and password pair to protect the switch configuration from unauthorized access.
- Determine the switch ports that you want to configure as authenticators. Before you configure web-based or MAC authentication on a port operating in an LACP trunk, you must remove the port from the trunk.To display the current configuration of 802.1X, web-based, and MAC authentication on all switch ports, enter the
show port-access config
command, as shown in the following example. - Determine whether any VLAN assignments are needed for authenticated clients.
- If you configure the RADIUS server to assign a VLAN for an authenticated client, this assignment overrides any VLAN assignments configured on the switch while the authenticated client session remains active. The VLAN must be statically configured on the switch.
- If there is no RADIUS-assigned VLAN, the port can join an “Authorized VLAN” for the duration of the client session. This must be a port-based, statically configured VLAN on the switch.
- If there is neither a RADIUS-assigned VLAN or an “authorized VLAN” for an authenticated client session on a port, the port’s VLAN membership remains unchanged during authenticated client sessions. Configure the port for the VLAN in which you want it to operate during client sessions.
NOTE: When configuring a RADIUS server to assign a VLAN, you can use either the VLAN’s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100” or “vlan100” to specify the VLAN. - For clients that the RADIUS server does not authenticate, determine whether to use the optional “unauthorized VLAN” mode. This VLAN must be statically configured on the switch. If you do not configure an “unauthorized VLAN”, the switch simply blocks access to unauthenticated clients trying to use the port.
- Determine the authentication policy you want on the RADIUS server and configure the server. Based on your switches RADIUS application information, include the following in the policy for each client or client device:
- The CHAP-RADIUS authentication method.
- An encryption key.
- One of the following:
- Include the user name and password for each authorized client if you are configuring web-based authentication.
- Enter the device MAC address in both the user name and password fields of the RADIUS policy configuration for that device if you are configuring MAC authentication. To allow a particular device to receive authentication only through a designated port and switch, include this in your policy.
- Determine the IP address of the RADIUS servers you choose to support web-based or MAC authentication.
Before you configure MAC authentication
- Configure a local user name and password on the switch.
- Ensure that the VLANs are configured on the switch and that the appropriate port assignments have been made if you plan to use multiple VLANs with MAC authentication. Money pro 2 0 70.
- Ping the switch console interface to ensure that the switch is able to communicate with the RADIUS server you are configuring to support MAC authentication.
- Configure the switch with the correct IP address and encryption key to access the RADIUS server.
- Configure the switch for MAC authentication with the ports you will be using.
- Test both the authorized and unauthorized access to your system to ensure that MAC authentication works properly on the ports you have chosen to configure for port-access.
MAC authentication requires that only a single entry containing the user name and password is placed in the user database with the device's MAC address. This creates an opportunity for malicious device spoofing. The global password option configures a common MAC authentication password to use for all MAC authentications sent to the RADIUS server. This makes spoofing more difficult.
- How to Secure Your Mac – Part 1 The newest macOS features built-in security features – but users with older OS’s can protect their privacy and devices with these simple techniques.
- 401 Unauthorized: Access is denied due to invalid credentials. Ask Question Asked 7 years, 11 months ago. Viewed 155k times 72.
It is important that when implementing the global MAC authentication password option, that the user database on the RADIUS server has this password as the password for each device performing MAC authentication.
Commands to configure the global MAC authentication password
To configure the global MAC authentication password:
Syntax
[no]
aaa port-access mac-based password password-value
Specifies the global password to be used by all MAC authenticating devices.
The
[no]
form of the command disables the feature.For the 3800, 5400zl, and 8200zl switches, when the switch is in enhanced secure mode, commands that take a password as a parameter have the echo of the password typing replaced with asterisks. The input for the password is prompted for interactively. See Secure Mode (3800, 5400zl, and 8200zl Switches).
Configuring a global MAC authentication password
NOTE: The password value is listed in an exported config file when include-credentials is enabled. |
Syntax
aaa port-access mac-based addr-format
<no-delimiter
| single-dash
|
multi-dash
| multi-colon
| no-delimiter-uppercase
| single-dash-uppercase
|
multi-dash-uppercase
| multi-colon-uppercase>
Specifies the MAC address format used in the RADIUS request message. This format must match the format used to store the MAC addresses in the RADIUS server.
Default:
no-delimiter
no-delimiter
: specifies an aabbccddeeff format.single-dash
: specifies an aabbcc-ddeeff format.multi-dash
: specifies an aa-bb-cc-dd-ee-ff format.multi-colon
: specifies an aa:bb:cc:dd:ee:ff format.no-delimiter-uppercase
: specifies an AABBCCDDEEFF format.single-dash-uppercase
: specifies an AABBCC-DDEEFF formatmulti-dash-uppercase
: specifies an AA-BB-CC-DD-EE-FF formatmulti-colon-uppercase
: specifies an AA:BB:CC:DD:EE:FF format.Syntax
Enables or disables MAC authentication on specified ports.
Specifying the maximum authenticated MACs allowed on a port
Syntax
aaa port-access mac-based
[e
] port-list
[addr-limit
1-256
]Specifies the maximum number of authenticated MACs to allow on the port.
Default:
1
NOTE: On switches where MAC authenticated and 802.1X operate concurrently, this limit includes the total number of clients authenticated through both methods. |
The limit of 256 clients only applies when there are fewer than 16,384 authentication clients on the entire switch. After the limit of 16, 384 clients is reached, no additional authentication clients are allowed on any port for any method.
Allowing addresses to move without re-authentication
Syntax
[
no
] aaa port-access mac-based
[e
] port-list
[addr-moves
]Allows client moves between the specified ports under MAC authenticated control. When enabled, the switch allows addresses to move without requiring a re-authentication.
When disabled, the switch does not allow moves and when one occurs, the user is forced to re-authenticate. At least two ports (from ports and to ports) must be specified.
Use the
no
form of the command to disable MAC address moves between ports under MAC authenticated control.Default: Disabled — no moves allowed
Syntax
aaa port-access mac-based
[e
] port-list
[auth-vid
vid
]no aaa port-access mac-based
[e
] port-list
[auth-vid
]Specifies the VLAN to use for an authorized client. The RADIUS server can override the value (accept response includes avid).
If
auth-vid
is 0
, no VLAN changes occur unless the RADIUS server supplies one.Use the
no
form of the command to set the auth-vid
to 0
.Default:
0
Specifying the time period enforced for implicit logoff
Syntax
[
no
]aaa port-access mac-based
[e
] port-list
[logoff-period
] 60-9999999
Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its pre-authentication state.
Default:
300 seconds
Specifying how many authentication attempts can time-out before failure
Syntax
[
no
]aaa port-access mac-based
[e
] port-list
[ max-requests
1-10
]Specifies the number of authentication attempts that must time-out before authentication fails.
Default: 2
Specifying how long the switch waits before processing a request from a MAC address that failed authentication
Syntax
[
no
]aaa port-access mac-based
[e
] port-list
[ quiet-period
1-65535
]Specifies the time period (in seconds) that the switch waits before processing an authentication request from a MAC address that failed authentication.
Default: 60 seconds
Specifying time period enforced on a client to re-authenticate
Syntax
[
no
]aaa port-access mac-based
[e
] port-list
[ reauth-period
0-9999999
]Specifies the time period (in seconds) that the switch enforces on a client to re-authenticate. The client remains authenticated while the re-authentication occurs.
When set to
0
, re-authentication is disabled.Default: 300 seconds
Syntax
[
no
]aaa port-access mac-based
[e
] port-list
[ reauthenticate
]Forces a re-authentication of all attached clients on the port.
Plugspy 1 5 – Protect Your Mac From Unauthorised Accessing
Specifying the period to wait for a server response to an authentication request
Syntax
[
no
]aaa port-access mac-based
[e
] port-list
[ server-timeout
1-300
]Specifies the period, in seconds, the switch waits for a server response to an authentication request. Depending on the current
max-requests
value, the switch sends a new attempt or ends the authentication session.Default: 30 seconds
Specifying the VLAN to use when authentication fails
Syntax
[
no
]aaa port-access mac-based
[e
] port-list
[ unauth-vid
vid
][
no
]aaa port-access mac-based
[e
] port-list
[ unauth-vid
]Specifies the VLAN to use for a client that fails authentication. If
unauth-vid
is 0
, no VLAN changes occur. Use the no
form of the command to set the unauth-vid
to 0
.Default: 0
This feature allows administrators to configure custom messages that are displayed when authentication with the RADIUS server fails. The messages are appended to existing internal webpages that display during the authentication process. Messages can be configured using the CLI, or centrally using the RADIUS server, and can provide a description of the reason for a failure as well as possible steps to take to resolve the authentication issue. There is no change to the current web-based authentication functionality.
Syntax
[no]aaa port-access web-based access-denied-message
<<access-denied-str>
| radius-response>
Specifies the text message (ASCII string) shown on the webpage after an unsuccessful login attempt. The message must be enclosed in quotes.
The
[no]
form of the command means that no message is displayed upon failure to authenticate.Default: The internal webpage is used. No message appears upon authentication failure.
The text message that is appended to the end of the webpage when there is an unsuccessful authentication request. The string can be up to 250 ASCII characters.
Use the text message provided in the RADIUS server response to the authentication request.
Configuring an access denied message on the switch
Output showing the custom access denied message
Access denied message when radius-response is configured
Unauthenticated clients can be assigned to a specific static, untagged VLAN (unauth-vid), to provide access to specific (guest) network resources. If no VLAN is assigned to unauthenticated clients, the port is blocked and no network access is available.
The following figure shows an example of the denied access message that appears when
unauth-vod
is configured.Webpage configured access denied message when unauth-vid is not configured
The
show running-config
command displays the client’s information, including the configured access denied message.Running configuration output displaying access denied message
Running configuration output when RADIUS response is configured
When a client’s MAC address is checked by the RADIUS server against the known list of MAC addresses, and the MAC address is not found, the client needs a way to quickly become registered through a web registration process. The HTTP Redirect feature provides a way for a client who has failed MAC authentication to become registered through a web/registration server. Only a web browser is required for this authentication process.
NOTE: The HTTP redirect feature cannot be enabled if web-based authentication is enabled on any port, and conversely, if HTTP redirect is enabled, web-based authentication cannot be enabled on any port. The web/registration server software is not included with this feature. |
The
unauth-redirect
option must be configured with the registration server’s URL as a parameter before HTTP redirect operations can begin. The full URL must be used.Syntax
[no]aaa port-access mac-based unauth-redirect
Configure the HTTP redirect registration server feature.
<redirect-URL-str>
Enables the HTTP redirect registration server feature by configuring the URL of the registration page. An entry can have either an IP address or a DNS name. Red giant universe 3 mac. Only one server can be configured.
NOTE: The entire URL must be used, including the “http://” or “https://” portion. |
[restrictive-filter]
Enables the redirect server to only return a Warning or Information page.
[timeout <seconds>]
The time (in seconds) before a client in an unauthorized redirection state is removed from the state tables.
Range: <30-10800>seconds
Default: 1800 seconds
CAUTION: Rogue clients can attempt to access any webpages on the web/registration server via interface ports configured for MAC authentication. |
- If the configured URL contains a domain name (as opposed to an IP address) the switch’s DNS resolver must be configured:
- The NAT does an IP route lookup before it sends the packet to the destination registration server. A VLAN must have been configured that allows the switch to access the registration server.
- The initial page, redirect server, and filter path configuration is per-switch.
Following are the steps involved in HTTP registration.
- When the redirect feature is enabled, a client that fails MAC authentication is moved into the unauthorized MAC authentication redirection state.
- A client in the redirect state (having failed MAC authentication) with a web browser open sends a DHCP request. The switch responds with a DHCP lease for an address in the switch configurable DHCP address range. Additionally, the switch IP address becomes the client’s default gateway. All ARP/DNS requests are handled by the switch and all requests are directed to the switch.The switch replies to these requests with its own address.
- The client requests a webpage. The switch takes this request and responds to the client browser with an HTTP redirect to the configured URL. The client MAC address and interface port are appended as HTTP parameters.
- Before returning the initial registration page to the client, the switch enables NAT so that all subsequent requests go to the web server directly. The initial HTML page is returned to the switch and then by proxy to the client.
- After the registration process completes, the registration server updates the RADIUS server with the client’s user name, password, and profile.
- The client remains in the redirect state until the client’s time exceeds the configured timeout or the switch receives an SNMP deauthentication request from the registration server.
- The registration server sends an SNMP request to the switch with the MAC identification and interface port to reauthenticate or deauthenticate the client.
- The switch moves the client out of the special web-based/MAC authentication redirect state and the client becomes unknown to the switch again. This sets the stage for a new MAC authentication cycle.
Diagram of registration process
The restrictive-filter option allows the switch to reply to all HTTP requests to the switch IP address with an HTTP-redirect containing the URL of the registration server. It is used when there is no registration process and only a warning or informational page is displayed to the client.
If SSL is not configured, the switch verifies that the MAC address and interface port parameters are present. If SSL is enabled, the switch ensures that the HTTP request is to the registration server’s destination IP address.
The
show
command displays the HTTP redirect configuration.Show command displaying HTTP redirect configuration
The MIB variable hpicfUsrAuthMacAuthClientReauthenticateEntry in the hpicfUsrAuthMIB provides the capability to reauthenticate a specific MAC client on a port. The MAC address and port are required for SNMP reauthentication.
To reauthenticate a client using the CLI, use this command:
The keyword
mac-addr
specifies single client reauthentication. If the reauthenticate
parameter is entered without the mac-addr
keyword and MAC address, the command is executed as port reauthentication — all clients on a port are reauthenticated.To configure the registration server URL, the command is:
Unconfiguring a MAC Authenticated registration server
Each configured registration server’s URL must be removed by specifying it exactly, for example:
Lock your apps with a password
and protect your data smartly.
With iLocker™ Mac, you can make your Mac not only even more safe but also more flexible if you share your Mac with others. iLocker™ Mac password-protects each app such as Apple Mail, Photos, Contacts, Safari, Games from unauthorized access.
You pick which apps will be protected, and iLocker™ Mac keeps them secure. It tracks failed attempts to access the protected apps - so you'll know when it happened with date and time.
The automatic exit feature which locks the app after a period of time when you’re away from the keyboard to improve security.
There isn’t a more comfortable way to protect any app that you need. Just drag’n’drop your apps, click on the button, and don’t worry about anything.
Now you can unlock your Mac in an instant. Use Apple Pay to make secure online purchases. Quickly access system settings and locked notes. And even switch between users - all with the touch of a finger.
You can allow your children access to some apps like specific games, Safari, and more but not others like Apple Mail, Photos, your private files, or the system preferences.
iLocker™ allows users to share their computer or leave it unattended while being assured that sensitive apps and documents cannot be opened.
A smart invention against (un)known threats.
With the Deep Detective™ we have created an intelligent and versatile detective that observes all accesses to the macOS device – similar to an alarm system, a firewall or an Intrusion Detection System – only smarter.
Deep Detective™ permanently controls which process or program currently attempt to access the camera. Additionally it reports known – and thanks to modern heuristic methods – also unknown attack attempts.
With iLocker™ you can set a schedule to unlock specific apps and to limit the time that each app is available. For example: After school (2:00-6:00pm) or not after 8:00 pm. And, best of all, it works automatically - even when you're not there.
Plugspy 1 5 – Protect Your Mac From Unauthorised Accessibility
Mac users are being warned about new variants of malware like ransomwareand spyware that have been created specifically to target macOS.
Using the latest technology, the smart Deep Detective™ constantly monitoring and protecting critical system areas and your personal files and folders with an additional layer of prevention against Mac encrypting ransomware attacks like KeRanger, OSX/Filecoder, Mabouia/Ransomcrypt and more.
Supported Operating Systems for Software
- Mac OS 10.11 or higher (OS X El Capitan, macOS Sierra, macOS High Sierra, macOS Mojave, macOS Catalina)
Minimal Hardware Requirements
- Minimal system requirements of the operation system
- 70 MB free hard drive space
- Internet connection for updates and activation
- Compatible with all models of MacBook, MacBook Air, Macbook Pro, iMac, iMac Pro and Mac Pro
Imindmap 11 full version crack mac & win. Languages
- English, German
- Securely protect Apps with a password
- Securely monitor personal data such as files and folders
- Allow children access to specific games and applications
- Set a schedule for each app or all apps to allow unblocked usage for specific days and times.
- Pop-Ups regarding security breaches
- Logfile protocol keeps tracking when someone tries to start protected apps.
- Deep Detective protection against known and unknown attack attempts incl. smart ransomware protection
- Supports Apple Touch ID on lastest Macbook Pro.
- incl. 1 year technical support and free upgrades
- 24/7 Support by email