PDA

View Full Version : Using Macbook pro when I'm not supposed to in windows world




fibrizo
Jul 22, 2010, 10:55 AM
I apologize in advance if this isn't the right place for this topic.

Anyways at work, they do not allow Macs, only IT approved PCs. While it is against protocol, I just added a wireless router to the network jack that one of the pcs was connected to, and I connected my mac wirelessly and could use the internet and do work as I saw fit.

I know that it's against IT policies, if you plan to just lecture me, I already know lol.

The issue I'm having is that recently they've upgraded the internet security on the network. So If I sign in on the windows PC (network login) the internet on that PC works fine (it's connected to the router that gives me wifi) When I connect my mac to the ethernet line or via wifi, I can't access the internet, but I can load up intranet pages just fine, so it's connected to the network and can get access, but can't connect to the actual internet. It's the same with another windows PC that has a generic login (not to network) it will access the intranet but not the internet.

I suspect I need to authenticate somewhere with my user name and password, but I have no idea where to start.

Is what I am wanting to do impossible?



belvdr
Jul 22, 2010, 11:02 AM
There are so many things that could cause this; it's impossible to troubleshoot without intimate knowledge of the network.

You should really concentrate on just using your approved equipment.

InfoSecmgr
Jul 22, 2010, 01:16 PM
I apologize in advance if this isn't the right place for this topic.

Anyways at work, they do not allow Macs, only IT approved PCs. While it is against protocol, I just added a wireless router to the network jack that one of the pcs was connected to, and I connected my mac wirelessly and could use the internet and do work as I saw fit.

I know that it's against IT policies, if you plan to just lecture me, I already know lol.

The issue I'm having is that recently they've upgraded the internet security on the network. So If I sign in on the windows PC (network login) the internet on that PC works fine (it's connected to the router that gives me wifi) When I connect my mac to the ethernet line or via wifi, I can't access the internet, but I can load up intranet pages just fine, so it's connected to the network and can get access, but can't connect to the actual internet. It's the same with another windows PC that has a generic login (not to network) it will access the intranet but not the internet.

I suspect I need to authenticate somewhere with my user name and password, but I have no idea where to start.

Is what I am wanting to do impossible?

I'm not trying to lecture you, but as a tech manager and IAM (information assurance manager) I can tell you that they will find the rogue wireless point at some time in the near future. I understand that IT departments often have BS rules, etc etc. I would just try to find a solution that doesn't involve wireless. However, you are playing in a dangerous area where you can be terminated. Companies don't like having unauthorized IS's (information systems) in their buildings. People like to launch attacks that way. Anyway, companies usually control network access by MAC address, you wouldn't be able to logon anyway, even if you had a username and password.

Of course being an IAM I don't officially endorse trying to bypass the rules, etc ;)

bukalemun
Jul 22, 2010, 01:33 PM
Your IT department most probably started using MAC (Media access control) address authentication to enable only trusted PCs to access the internet. As every networking device has a MAC address that's unique to them, there is not much to do unless you find a way to imitate the MAC address of your PC on your Mac. If you can find a way to do it, a new problem will arise, which is your PC and Mac cannot coexist on the same network.

mr0c
Jul 22, 2010, 02:07 PM
maybe there's a network proxy?

i know my new work requires one to view external pages (my old work had direct internet access, so no silly proxies or routing).

fibrizo
Jul 22, 2010, 08:03 PM
Your IT department most probably started using MAC (Media access control) address authentication to enable only trusted PCs to access the internet. As every networking device has a MAC address that's unique to them, there is not much to do unless you find a way to imitate the MAC address of your PC on your Mac. If you can find a way to do it, a new problem will arise, which is your PC and Mac cannot coexist on the same network.

I'm actually pretty sure they do not. Simply because the 2 computers in the back (which had not been updated properly to sign onto the windows network) can't get internet access either, but can access the intranet.

Also if I connect my macbook right to a ethernet jack, It hands me an ip normally and I can access the intranet web pages, but not things offsite. Also the router is cloning the MAC of a working PC that it is connected to, and it makes no difference. There may be something regarding a proxy I have to authenticate to however. Any idea where I might check on the working windows PCs to find out?

If it was mac filtering, I should be able to connect and get an ip right? (as far as my rudimentary understanding goes)

Thanks for the help/info so far guys, Any other ideas?

fibrizo
Jul 22, 2010, 08:11 PM
I'm not trying to lecture you, but as a tech manager and IAM (information assurance manager) I can tell you that they will find the rogue wireless point at some time in the near future. I understand that IT departments often have BS rules, etc etc. I would just try to find a solution that doesn't involve wireless. However, you are playing in a dangerous area where you can be terminated. Companies don't like having unauthorized IS's (information systems) in their buildings. People like to launch attacks that way. Anyway, companies usually control network access by MAC address, you wouldn't be able to logon anyway, even if you had a username and password.

Of course being an IAM I don't officially endorse trying to bypass the rules, etc ;)

Hehe, I would love to have a competent IT guy like you. Ours are unfortunately... well let's just say not the brightest bulbs.

Thank you for the concern though, even if I could run a Cat5 cable into the room to use it, (old old building built around 1890s-1900...) I still have the same issue as currently. ie I connect to the network but I can't get internet access even though it assigns me an IP and I can access intranet websites... because I need to figure out where I need to authenticate to get to the internet.

I'm rather skeptical they would terminate me, rather just be annoyed an report me to my superiors (who feel the same way about the IT people... who incidentally got upset when we purchased(with our own personal funds) our own more reliable printer and installed it... because they had to come by to bolt it down lol)

Les Kern
Jul 22, 2010, 10:37 PM
don't be surprised if you are out of work after they find out. I'm an IT director, and you would be gone before your hard drive spun down to a stop. Brutal, but honest.

belvdr
Jul 23, 2010, 08:18 AM
don't be surprised if you are out of work after they find out. I'm an IT director, and you would be gone before your hard drive spun down to a stop. Brutal, but honest.

Same here. We had someone bring down an entire building due to them recabling at their desk.

Again, I say just use the equipment you are approved to use. If you don't like it, quit and find a job that lets you use a Mac.

CorporateFelon
Jul 23, 2010, 10:44 AM
Same here. We had someone bring down an entire building due to them recabling at their desk.

Again, I say just use the equipment you are approved to use. If you don't like it, quit and find a job that lets you use a Mac.

Is your network that fragile?

Frosties
Jul 23, 2010, 11:17 AM
Macs pollute windows networks with files every time you open something in finder. You are on a countdown. And opening up the entire network with your wireless access point is just that a reason to be terminated. I know I would kick you out.

belvdr
Jul 23, 2010, 11:18 AM
Is your network that fragile?

All networks are that fragile. Sure you can put in some preventative measures and we have, but sometimes things slip through. Also when you inherit a network that you don't fully control, things happen.

fibrizo
Jul 23, 2010, 12:09 PM
Well it's really no big deal. I can always Wimax it to do whatever I need to do anyways. I was just wondering, and hoping to gain a better understanding.

Again. I have stated before, it doesn't quite work like it does in the real world for business. I'm actually hoping that with the merger we get real IT people working on the stuff, as the other campus I'm on, actually has wireless, real security, and uses macs as well. (That entity is in the process of taking over operations). Thanks for all your concern.

If they really want to be concerned about security breaches, they'd actually set up the computers so all the dang secretaries couldn't download random crap and 100x toolbars that load on malware onto the computers and networks :)

jdstelljes
Jul 23, 2010, 01:28 PM
If adding 1 mac to an office network can take down the whole network then I would say the IT moron should be fired, not the guy who plugged in a mac. I hear so much rediculous tripe from IT people its astounding how un-real world they are, and that any business can run efficently with some of these stupid rules.

ChaosAngel
Jul 23, 2010, 01:33 PM
maybe there's a network proxy?

i know my new work requires one to view external pages (my old work had direct internet access, so no silly proxies or routing).

That would be my guess. Check your Internet Settings on your work machine for a proxy server or PAC file (it is probably being applied by GPO). You should then be able to add the correct proxy/port on your Mac.

This is however a complete guess and without additional information regarding your works network it is impossible to be accurate.

Makosuke
Jul 23, 2010, 02:06 PM
If adding 1 mac to an office network can take down the whole network then I would say the IT moron should be fired, not the guy who plugged in a mac.Actually, I'm pretty sure people were saying that doing bad, unauthorized things to get around network restrictions can bring down a network, not a Mac specifically. While a Mac may be secure, if the connected device is not, or if it opens a point of attack inside the firewall, it could at the very least flood the network with traffic or max out the Internet uplink, if not try and do something more harmful. Or start broadcasting untoward DHCP packets, which can cause all manner of unhappiness (that's a common one when people misconfigure network sharing).

The IT guys can shut such a device down, but it's still annoying at minimum, harmful at worst. At a small company, with relatively simple network hardware, it can be even harder to deal with.

WrQth
Jul 23, 2010, 02:56 PM
Sounds like internet access is determined at the user level not machine level which would explain why on your computer using your log in you can get to the internet where as on the 2 computers in the back that are using generic logins only get to the intranet. Why not the internet and just the intranet you ask well that is simple the internet is there people do back things along with connecting hardware that can violate compliance with legal regulations when they shouldn't and the intranet is controled content that everyone in the company should be able to view so why create additional security to control the internal site that is assumed to be safe from deviants.

wlh99
Jul 23, 2010, 05:49 PM
First thing, your wireless router probably has a port marked "WAN" or "Internet". When connected to a business network most people mistakenly connect that to the business network. Don't do that. All connections, to the wall, and to the computers need to be on the LAN side of the router. Don't plug anything into the WAN port.

Second, make sure DHCP is turned of on your wireless router.

Third, Macs don't always play well on PC networks. You might need IT's help to create a machine account on the domain controller or otherwise allow it.

But, most likely the first suggestion will fix it. I've seen that many times and the symptom is just what you describe, you can see the internal network, but not the internet.

The obligitory lecture (from an IT manager)
Many companies will terminate an employee on the spot no questions asked for installing a wireless router. Bringing in the Mac is a slap on the wrist, but the router is a very serious offense at many places. Then again, many places have an IT policy some attorney wrote and don't care what you do.

Mike Reed
Jul 23, 2010, 09:19 PM
Is there a particular reason you wish to use your Mac on the network? If it enables you to perform duties more efficiently than the provided computers you should let those responsible know why.

A general purpose IT department should be responsible for protecting company assets as well as enabling employees to work efficiently. If they are only focusing on half of the equation then they aren't really doing their job. Try and focus on the problem you are having, such as not having appropriate software to perform your job effectively instead of the solution (i.e. using your mac) when communicating with them. It's their job to leverage their knowledge and experience toward a solution.

Now that all the touchy-feely junk is out of the way, I freaking hate IT departments. My job isn't to worry about security, it's to get things done. Their job is to make our systems secure enough that I can't do anything remotely productive or useful toward getting things done. Am I exaggerating? Probably. Is it hypocritical of me to take an me vs. them stance while accusing them of the exact same thing. Absolutely. Do I care? Nope. :P

SidBala
Jul 24, 2010, 03:51 AM
Where I work, bringing macs or any personal laptops can get someone into a lot of trouble.

belvdr
Jul 24, 2010, 05:48 AM
First thing, your wireless router probably has a port marked "WAN" or "Internet". When connected to a business network most people mistakenly connect that to the business network. Don't do that. All connections, to the wall, and to the computers need to be on the LAN side of the router. Don't plug anything into the WAN port.

Since you cannot enable a DHCP server on the WAN port, why would you want to bypass that? Additionally, by plugging the LAN ports to the wall, your wall port may become disabled if bpduguard is enabled. This won't happen if you use the WAN/Internet port.

Les Kern
Jul 24, 2010, 08:06 AM
Is your network that fragile?

Nope, but it's MY network, not his.

satcomer
Jul 25, 2010, 10:06 AM
Wow just wow. You now it's people like you that there is these bad rules in place on your work network. This is a HUGE firing offense and you have just signed your own termination notice!

Stop now before someone sees you!

Winni
Jul 25, 2010, 10:27 AM
apologize in advance if this isn't the right place for this topic.

Anyways at work, they do not allow Macs, only IT approved PCs. While it is against protocol, I just added a wireless router to the network jack that one of the pcs was connected to, and I connected my mac wirelessly and could use the internet and do work as I saw fit.

I know that it's against IT policies, if you plan to just lecture me, I already know lol.

The issue I'm having is that recently they've upgraded the internet security on the network. So If I sign in on the windows PC (network login) the internet on that PC works fine (it's connected to the router that gives me wifi) When I connect my mac to the ethernet line or via wifi, I can't access the internet, but I can load up intranet pages just fine, so it's connected to the network and can get access, but can't connect to the actual internet. It's the same with another windows PC that has a generic login (not to network) it will access the intranet but not the internet.

I suspect I need to authenticate somewhere with my user name and password, but I have no idea where to start.

Is what I am wanting to do impossible?


You, sir, are going to spend a lot of time on monster.com very soon.

But honestly, you should find yourself another job anyway - a place with such restrictions simply cannot be a fun place to work.

In any case, you should buy a UMTS/3G USB dongle with contract for your MacBook and be completely independent from any company network. But they still might not like the fact that you bring in your own computer to work. After all, you might be stealing company data or whatever other paranoid BS they might have in mind.

If you want to come to Germany, we're currently hiring. ;-)

northerngit
Jul 25, 2010, 01:17 PM
I'm actually pretty sure they do not. Simply because the 2 computers in the back (which had not been updated properly to sign onto the windows network) can't get internet access either, but can access the intranet.

Also if I connect my macbook right to a ethernet jack, It hands me an ip normally and I can access the intranet web pages, but not things offsite. Also the router is cloning the MAC of a working PC that it is connected to, and it makes no difference. There may be something regarding a proxy I have to authenticate to however. Any idea where I might check on the working windows PCs to find out?

If it was mac filtering, I should be able to connect and get an ip right? (as far as my rudimentary understanding goes)

Thanks for the help/info so far guys, Any other ideas?

Given you mention "old compuetrs" not on the Windows domain, I would suggest they are using an ISA firewall, tied to Windows domain authentication. Either that, or RADIUS authentication via AD to an edge device restricting outbound traffic.

If so, they'll be logging - probably by default. One day, probably by accident, they'll see unauthorised access attempts...

belvdr
Jul 25, 2010, 01:31 PM
After all, you might be stealing company data or whatever other paranoid BS they might have in mind.

Because stealing company data or using company data on an unauthorized machine isn't a big deal. Why should they care?

InfoSecmgr
Jul 25, 2010, 07:04 PM
Hehe, I would love to have a competent IT guy like you. Ours are unfortunately... well let's just say not the brightest bulbs.

Thank you for the concern though, even if I could run a Cat5 cable into the room to use it, (old old building built around 1890s-1900...) I still have the same issue as currently. ie I connect to the network but I can't get internet access even though it assigns me an IP and I can access intranet websites... because I need to figure out where I need to authenticate to get to the internet.

I'm rather skeptical they would terminate me, rather just be annoyed an report me to my superiors (who feel the same way about the IT people... who incidentally got upset when we purchased(with our own personal funds) our own more reliable printer and installed it... because they had to come by to bolt it down lol)

Yeah I doubt they would outright fire you, a warning perhaps. Let us know how it works out :)

lkirkup
Jul 26, 2010, 03:05 AM
Macs pollute windows networks with files every time you open something in finder. You are on a countdown.

open up a terminal and type in

defaults write com.apple.desktopservices DSDontWriteNetworkStores true

and you will no longer leave these "traces" on the network.

Supa_Fly
Jul 26, 2010, 06:45 PM
@fibrizo,

By chance are you located in Ontario working for said provincial government?! Around the same day not 1 but 2 users connected a Airport Extreme router and a Mac (probably a MacBook Pro) to the network. MAC was definitely the trigger and boom Telus who manages the network routers/switches had ITSecurity create a ticket and bingo what was one I had to call user up on. he knew he what he was up to as well. Funny thing is Telus/IT Security gave the ok to cut-off LAN at clients desk - which means a cost to activate it again gets Manager & Director notification - not something you want for a measly $154 one-time cost that could've been avoided. Oh well, nice to know a few Mac users out there manage Windows networks and are really frugal about allowances.