Block Student Laptops

[karldenton]

OK.
Some bright student has found out the IP address of our proxy server (internal).
We're not happy with them using the internet on weekends and evenings via their laptops.
I can secure the Wifi points so they can't connect via them. Is there a way to block them having access when plugged in? Can find out the MAC address if need be.
Many thanks.
PS - Not using ISA

[rad]

The MAC address would be the only way to definatly block them and lock the Wireless.

Only way they can get on again is by using another laptop.

[karldenton]

How can your block with MAC Address?

[FN-GM]

Im lost here, why does it matter if they have your proxy server IP? Surely a WIFI key would sure the problem of them getting an internet connection.

[karldenton]

Yeah but some decide to plug in too with patch cable !!

Looking for a FREE way if possible to block both

[FN-GM]

Is it a boarding school? Are you using ISA?

[karldenton]

Yes its a boarding school and no we're not using ISA.
We're using Avantis ContentCache

[srochford]

The MAC address would be the only way to definitely block them and lock the Wireless.

Only way they can get on again is by using another laptop.

Or they could just sniff the traffic using wireshark, find a MAC address which does work and set their MAC address to match. Quite a few network card drivers allow you to specify the MAC address you want to use (eg my laptop has a Broadcom and there's a simple option in Windows to just enter an address)

A few things I can think of; 802.1x authentication on your switches could block access (it might take time to set up but if you already have a Radius server it's probably not too hard). If you can specify times on the proxy server when certain users are allowed then that might be an easy way (ISA does this which doesn't help; pretty sure you can do it with Squid)

[FN-GM]

What content filter do you have?

You could find the mac of the laptop and give it a dummy address in DHCP.

[karldenton]

Another thread on here says that you can block the MAC address in dhcp so PC Doesn't pick up an IP?

Content Filter provided by ISP and a bit via the ContentCache.

[Michael]

It's difficult as there's no 'real' way to stop this. DHCP was designed to seek and allocate an IP to any device it finds. In saying that, you could schedule DHCP server to stop and then restart an hour before you get into work

Code:

@echo off
net stop "DHCP Server"
Exit

Code:

@echo off
net start "DHCP Server"
Exit

This wouldn't stop them entering a static IP however. You could also put a Power Timer on all switches so they power off, apart from your core switch with your servers and admin workstations. This would definitely sort them out

[FN-GM]

Even better setup something on your proxy to power it down and up again. A script to disable the NIC and start it again.

If you had ISA you could configure it so only machines in AD and use the internet.

[Fraser-09]

What about blocking your proxy server internet access in your firewall outside school hours.

This would block everyone's internet so it's prob not the solution your after!

[tom_newton]

1. Get a proxy/filter which has AD authentication
2. Set a rule banning 'net access for students and the terminally unauthenticated after 10pm or what have you
3. job done

[GrumbleDook]

If you want to be horrible then you could have DHCP running but all clients are assigned a reserved IP based on MAC address, the remainder of the scope passes it to a different gateway ... one that goes nowhere.

They get an address and gateway but it buggers them up for a bit ... just a bit of an inconvenience but every bit that is another layer of annoyance is fun.

As mentioned previously, AD assigned authentication internally would work on a filter (AD authentication of client on teh domain as well as the user)