zag

Banning Ipods, Blackberries, Androids, home laptops from your School network

zag

, 10th November 2010 at 11:54 AM (5018 Views)

I recently had a problem where we were running low on IP addresses. I looked in DHCP and had about 655 active leases over the last 7 days. Now I'm pretty sure I don't have that many devices in the entire school! It turns out that there were a large amount of IPhones and other unauthorized mobile devices attached to our wireless. I guess the kids managed to find out the wireless key again!

There are a number of solutions to this problem, the most obvious is to change our wireless key regularly but I wanted a little more control over who actually connects to our network. I also looked into installing a radius server on our managed wireless but that looked like far too much effort for such a simple problem. Surely I could just ban the MAC addresses of these devices in DHCP.

Unfortunately its not that easy, I looked into DHCP and found out that pre 2008 R2 domain controllers could not filter by MAC address from the server. Shortly after that I was pointed to this page that provides a surprisingly easy solution

DHCP Server Callout DLL for MAC Address based filtering - Microsoft Windows DHCP Team Blog - Site Home - TechNet Blogs

Quick Instructions

Run the 32bit MSI on your domain controller

Browse to windows >> system32 >> dhcp

Edit the maclist.txt file

Manually type in some addresses in this format (you can get the mac address from DHCP, its the Unique ID)
Code:
#MACList.txt
MAC_ACTION = {DENY}
#List of MAC Addresses:
00334b141c32     #blahblah-Touch
34339e45190a     #blahblah-iphone
Now simply restart your DHCP server in services and it should start denying all those devices. Easy!

Tags: ban, dhcp, security

Categories: Uncategorized

Email Blog Entry

« Prev Main Next »

Comments

FN-GM - 10th November 2010 12:07 PM
Also if your running out of IP's change your lease time this will help. Ours is set to 8 hours.
Jamman960 - 11th November 2010 03:25 PM
Wonder if it supports wildcards, if so and you don't have any other apple hardware knocking about you could get away with banning their OUI ranges- IEEE Registration Authority - IEEE OUI and Company_id Assignments

I'd guess some of the other devices may use other popular nics that could conflict with genuine machines
simpsonj - 12th November 2010 02:57 PM
Very useful, been meaning to look into this problem before it gets out of hand!
simpsonj - 12th November 2010 05:48 PM
Just a heads up that when I tried to use this, my DCHP server no longer gave out IP addresses. A strong possibility that I messed up somewhere along the line, but thought it worth a mention.

Also worth mentioning is that this capablility is inbuilt into Windows Server 2008R2, so I might shift my DHCP server onto that...

Updated 12th November 2010 at 05:48 PM by simpsonj (Typo!)
RichCowell - 17th November 2010 03:59 PM
I discovered this solution elsewhere, but it works perfectly, and well worth implementing! Took a while to trawl through initially and get all the various devices added to the list, then it's just a case of checking every so often as they bring in new devices...

Dead simple, ideal solution!
zag - 17th November 2010 04:51 PM
Yep 3 days in now and this has made our network so much more secure and fast.

Great improvement.

I check it once a week and add the few mac addresses that are new. I just gives me so much more control.
RichardGumbo - 22nd November 2010 08:58 PM
I have to comment on a blog as part of an I.T assignment so am doing just that. Sorry to be a nuisance. As you were...
simpsonj - 11th February 2011 11:16 AM
Definately my mistake, the MACList.txt can either be a Allow list, in which only the machines specified on the list are allowed a IP address, or a block list, which blocks all machines specified on the list. First time I tried this, I had both, which didn't work at all well!