block Apple products (ipods and iphones ) on wireless

[bart21]

hi

is there any way of denying apple products as listed above on to the wireless network.

the kids keep connecting with them and it then disconnects the teacher laptops in that area.

the network is secured with peap authenticated on a radius server, but they just use their domain login name to get on.

i haad thought of certificate security but know little about this.

is there any easy way to ban the mac address?

i dont really want to have to type it into every ap as we have nearly 50

Does anyone else have this problem?

thanks

nick

[FN-GM]

Can you give a little background on your Wireless system?
Is it managed? What make?

[sted]

simplest way (sort of) would be to only allow computers with known mac ids connect to the wireless but it would mean tracking down the mac address of every authorised pc/laptop etc and adding it to shitelist and if its not a managed wireless system adding a potentially large list of stations to a large list of aps

[FN-GM]

simplest way (sort of) would be to only allow computers with known mac ids connect to the wireless but it would mean tracking down the mac address of every authorised pc/laptop etc and adding it to shitelist and if its not a managed wireless system adding a potentially large list of stations to a large list of aps

I would do this as well as your Encryption not instead of.

Z

[Dos_Box]

simplest way (sort of) would be to only allow computers with known mac ids connect to the wireless but it would mean tracking down the mac address of every authorised pc/laptop etc and adding it to shitelist and if its not a managed wireless system adding a potentially large list of stations to a large list of aps

The easiest way of doing this is to download either use Spiceworks or downlaod the free 30 day trial of NetSupport Manager DNA. This will list all Mac adresses of clients and NetSupport DNA will allow you export this list to CSV etc.

[FN-GM]

The easiest way of doing this is to download either use Spiceworks or downlaod the free 30 day trial of NetSupport Manager DNA. This will list all Mac adresses of clients and NetSupport DNA will allow you export this list to CSV etc.

Thanks for the tip. I always thought you had to install a client for NetSupport DNA

[sted]

I would do this as well as your Encryption not instead of.

Z

well yes if for no other reason than it saves going round changing wireless settings on computers

[AngryITGuy]

simplest way (sort of) would be to only allow computers with known mac ids connect to the wireless but it would mean tracking down the mac address of every authorised pc/laptop etc and adding it to shitelist and if its not a managed wireless system adding a potentially large list of stations to a large list of aps

Agreed you could lock down connectivity to the wireless network by adding the MAC address of known machines to the APs in question. If the wireless isn't managed its going to take a while to do considering you have 50 APs.

An alternative solution and one we have depolyed here is to use the MacFilterCallOut DLL on your DHCP server.

Its a DLL released by the Microsoft DHCP Team that will allow you to either allow or deny a specific set of MAC addresss to obtain an IP address from DHCP.

Easier to manage in theory as its only implemented on one device on your network, the allow or deny list of MAC addresses is a basic text file of MAC addresses which you can create by exporting the leases from you DHCP server.

Details can be found here

Rather than having an allowed list you could deny the problematic Apple products on your network assuming you know the MAC addresses for them if you want to put something in place quickly on your network.

Hope this helps.

[AngryITGuy]

The easiest way of doing this is to download either use Spiceworks or downlaod the free 30 day trial of NetSupport Manager DNA. This will list all Mac adresses of clients and NetSupport DNA will allow you export this list to CSV etc.

Unless I am missing something here I am sure it would be easier to just export the list of DHCP leases from the DHCP server assuming one exists on the school network?

This gives you an output containing client name, IP and MAC address. Assuming bart21 has the names of all authorised devices on the network he should be able to filter out the rogue devices.

[sted]

Unless I am missing something here I am sure it would be easier to just export the list of DHCP leases from the DHCP server assuming one exists on the school network?

This gives you an output containing client name, IP and MAC address. Assuming bart21 has the names of all authorised devices on the network he should be able to filter out the rogue devices.

only slight issue with that is you may end up adding a pc twice once its wired connection and once its wireless

[AngryITGuy]

only slight issue with that is you may end up adding a pc twice once its wired connection and once its wireless

Good point, I thought there was something I was missing.

[DMcCoy]

I've not tried, but it could be worth looking at creating a deny rule in radius that matches the client vendor.

[sted]

Good point, I thought there was something I was missing.

i dont see it as a major problem though really just means a list thats longer than needs be and could be paired down if you know all your wireless cards are intel say than if the first 4 digits say broadcom it should be a wired card

[Oops_my_bad]

Unfortunately using whitelists/radius etc will not work.

There is something very wrong with Apple's implementation of wireless which (not intentionally?) causes a denial of service to certain vendors access points when they try to connect, which also explains why your teacher laptops are being disconnected when these ipods/phones connect. Your access point is spazzing out.

[computer_expert]

is there a wildcard function that will allow you to block the Apple [ame="http://en.wikipedia.org/wiki/Organizationally_Unique_Identifier"]OUI[/ame]?

ie. block 00:25:4B:**:**:** and it should block all Apple devices connecting just like blocking *.bbc.co.uk in a url filter would block the entire BBC range of subdomains?

edit: i'm talking about MAC addresses here just incase anyone wonders