[dalsoth]

Not sure if this is the right forum for this q. Anyone know a method to stop students and staff connecting Ipods to the school system? I checked through DHCP addresses today and there were perhaps 30+ Ipod devices with IP addresses and now i am starting to see students personal netbooks appear too along with other mobile phone devices.

I will not be able to force staff to stop students doing this as the staff are a joke and do not monitor kids in rooms or the library or the post16 area. I know of Packetfence but have never used it. Is this the only solution that is cost free? If so, do i need to add every mac address into Packetfence or are there other ways to get it to block rogue devices? Is packetfence a pain to set up and configure? I do not wish to go static IP so that is not an option with my workload and staff numbers.

Any advice is appreciated. Thanks.

[nephilim]

switch everyone to static IP addresses, and change your WEP key. If people know it then there is a problem.

[localzuk]

Security through obscurity will not work (eg. static IP addresses).

802.1X looks like it would be your friend here. Or at least some form of Mac based filtering (which isn't 100% secure though).

As these are iPods, i'm guessing they are wirelessly connecting - what wireless system do you have?

[dalsoth]

We have a Trapeze Radius set up and we do not have a default gateway published through DHCP either. Students are not even given a guest pass for the wireless as i do not want them connecting to our system with any non school device.

We have an ISA that only accepts http through our proxy servers. I doubt they are actually getting on the internet with them but perhaps they are plugging them into computers which is pulling a DHCP address from the server. I do not want loads of Ipods stealing my leases even though they will expire. It is annoying really more than an actual problem.

As i said in the original post. I do not want to go static ip, was wondering if there were another solution. I will obviously look at Packetfence but at this rate i will end up with a hundred servers doing different things and no time to update and manage them all.

Thanks for the replies.

[plexer]

Microsoft Windows DHCP Team Blog : DHCP Server Callout DLL for MAC Address based filtering

Try that.

[Iain]

There are a couple of options mentioned in this thread too: http://www.edugeek.net/forums/securi...ng-network.htm

[sidewinder]

We're getting this too - we have Aruba wireless, no-one can connect without being a member of a specified domain security group and having a certificate installed on the PC....except that is, for ipods and macs, the cert seems to auto install for them when they try and connect, and they can then get internet access. Really annoying

[dalsoth]

Have tried that DLL thing linked above on the server to block certain macs. I do not want the hassle of adding everything to an allow list so i have just picked the macs from DHCP and added them to a deny using that dll and text file from that page. Restarted DHCP and i can see from the text log that the ones i specified are being denied. I hope this is actually working. Time will tell. Thanks for the linkys guys.

[plexer]

Just use the deny setting then all you have to add is the macs of the devices you wish to deny.

Ben

[enjay]

A free but not fool-proof option is to add all unused IPs to an exclusion range. This will prevent devices getting numbers from DHCP, but won't stop them if they happen to pick a valid unused one and add it manually, so it isn't perfect but it does at least stop the casual attempts.

[GoldenWonder]

I got sick of this as well and spent a little time putting mac filters on our ruckus system

A bit of work, but surprisingly less devices used the wireless than I thought. Bit of a pain keeping it up to date but you have a better idea of whats using your wireless then.