Looking up MAC Addresses

[ken0042]

I know there are many websites out there where you can enter a MAC address and be able to tell who the manufacturer is. What I am wondering is if anybody knows of such a site that can also identify the device better. So instead of just saying that MAC address belongs to Apple; it could tell me if it belongs to a Macbook or an iPhone.

We are running into issues where users have devices that are locking out their accounts. I can see the MAC address and tell them it is an Apple device, but we need further clarification.

I am hoping that as a group we are geeky enough that somebody has such a database available.

[PsnaP]

As far as I know, the first 3 octets of the MAC will tell you the vendor. There is no encoding of the device type after that.

[Rathji]

Why don't you use the arp table to find out the IP address associated with the MAC address?

At command line, in windows arp -a and I think Linux/Mac would be a simple arp with no arguments passed. Ran on on CLI on the machine that is locking them out (although other machines may work).

[sclitheroe]

Quote:

Originally Posted by Rathji

Why don't you use the arp table to find out the IP address associated with the MAC address?

At command line, in windows arp -a and I think Linux/Mac would be a simple arp with no arguments passed. Ran on on CLI on the machine that is locking them out (although other machines may work).

This is a good suggestion, assuming though that you are on the same subnet as the devices, and also assuming you've pinged the broadcast address for the subnet first.

Since he's talking about accounts getting locked out, and possibly Apple mobile devices, I'm guessing we're dealing with Exchange here, in which case he could also check the IIS logs on the Exchange box to find the IP's of the machines making bad requests that are denied due to authentication (a 403, I guess?). iPhones and iPads would be talking to the Activesync virtual directory, and Outlook 2011 clients and/or the Mac Mail/Calendar/iCal clients would be accessing the EWS virtual directory. Outlook 2008 and lower clients on Mac access Exchange via the OWA virtual directory, since they are essentially emulating OWA access on behalf of the user.

You could also look in your DHCP reservation tables to find the DHCP lease that the Apple device has - this will definitely contain the IP to MAC association, and running something like "netsh -c dhcp server scope xxx.xxx.xxx.xxx show clients" on your DHCP server should do the trick I think.

It would not surprise me at all that you will discover it's iPhones and/or iPad's that are causing the lockouts - it seems to me that the devices will make multiple attempts with an incorrect password before informing the user that the password is wrong. It's also tricky from an end-user perspective since the devices will continue to function for some time after a password change, at least for the duration of the Activesync HTTP keepalive (20 minutes, I believe, by default), or however long the Information Store on Exchange keeps cached credential info (which is also 20 minutes by default I think), so users often forget to update their devices after a password change, since they are still working for some time afterwards.

[ken0042]

I guess I should clarify. The lockouts happen after the user changes their network password. My experience has shown an iOS device will never inform the user that the reason it cannot connect to wifi is due to an invalid password.

The network team has some great tools for us. I can track attempted connections and be able to tell a user of their movements from room to room with an up to the minute timestamp. My issue is that by the time through a few email exchanges where each time I ask them if they own an Apple product, by the 3rd or 4th email they will often tell me "Oh, I have an iPhone; but I have never hooked it up to our network."

I was hoping there was an easy way for me to tell them "It is an iPhone"- or even better "It is an iPhone 4S." Because apparently my saying "an Apple device such as an iPhone, iPad, or iPod Touch" isn't clear enough.