+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Wireless Networks Thread, Collecting MAC details of users with Ruckus ZD in Technical; I've just replaced our ageing wifi with a Ruckus system of 1100 controller and 7636 APs. We've 100+ school-owned devices ...
  1. #1

    Join Date
    Feb 2013
    Posts
    119
    Thank Post
    46
    Thanked 8 Times in 7 Posts
    Rep Power
    5

    Collecting MAC details of users with Ruckus ZD

    I've just replaced our ageing wifi with a Ruckus system of 1100 controller and 7636 APs.

    We've 100+ school-owned devices out there but never before had access control and need to implement this. With that number of devices to get through is there an easy way of collecting data on everything that attaches to the network over the next month say, and use this as the basis for the access control list?

    The ZD is running 9.4 at the moment to be updated shortly.

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,223
    Thank Post
    874
    Thanked 2,717 Times in 2,302 Posts
    Blog Entries
    11
    Rep Power
    780
    MAC based ACLs are pointless as you can get around it in seconds, you want to use the WPA2 BYOD solution that they have where they sign up with their credentials and get a per user WPA key or another auth solution for school owned devices.

  3. #3

    Join Date
    Feb 2013
    Posts
    119
    Thank Post
    46
    Thanked 8 Times in 7 Posts
    Rep Power
    5
    This is for 100 plus school-owned devices rather than BYOD.

    Various problems exist not least of which is my lack of knowledge, and IT Techs lack of capacity to locate all the devices in the building and set them up individually.

    My way of thinking was that any device that hadn't got onto the WLAN in four weeks wasn't worth worrying about (for example we have two members of staff off on maternity leave at the moment). I was hoping that any device that had gained access might be recorded somewhere, maybe exported as .csv and re-imported as an ACL.

    Incidentally if MAC based ACLs are pointless, what is the solution bearing in mind we have a wide variety of equipment,some of which does not even have WPA2?

  4. #4

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,223
    Thank Post
    874
    Thanked 2,717 Times in 2,302 Posts
    Blog Entries
    11
    Rep Power
    780
    Quote Originally Posted by catch21 View Post
    Incidentally if MAC based ACLs are pointless, what is the solution bearing in mind we have a wide variety of equipment,some of which does not even have WPA2?
    Wind up the security as high as it will go on the devices, if needs be have separate SSIDs with different authentication methods so that you can use decent encryption on devices which can.

    WEP is cracked and will give you comparably little protection, WPA with TKIP is compromisable and anything that supports WPS is compromised. WPA with AES or better WPA2 are alright at this stage.

    You should probably look at ditching or upgrading stuff that can't support WPA at the least if you want a somewhat decent level of security.

    If you don't have such skills in house and there is not a suitable person that can get up to speed it may be best to get the people who installed or supplied the wireless gear to come in and help you set it up.

  5. Thanks to SYNACK from:

    catch21 (17th February 2013)

  6. #5

    Join Date
    Feb 2013
    Posts
    119
    Thank Post
    46
    Thanked 8 Times in 7 Posts
    Rep Power
    5
    So essentially all I can do is what I am doing at the moment, i.e. WPA and WPA2?

    I feel that once the passphrase is out in the open which is only a matter of time, any child can come along with their own device and get onto the network?

    I'm not trying to build Fort Knox, just a garden shed with hinges bolted through, a decent padlock and maybe a battery operated alarm. Just enough to deter the opportunist and maybe slow someone down.

    I'm guessing MAC addresses can be spoofed and possily intercepted to make finding a valid one easier but if someone is that determined they're going to get in somehow.

  7. #6


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,649
    Thank Post
    275
    Thanked 780 Times in 607 Posts
    Rep Power
    224
    Use Radius for your authentication and WPA2 for your encryption.

    The Ruckus kit supports an external Radius server to handle authentication and any old Windows server can provide said Radius function.

    In fact, if there isn't a plethora of How-Tos on doing exactly that available from Ruckus, I'll be very disappointed in them.

    Combined with Network Access Control (works with NPS on Windows - Radius functionality is in NPS from Server 2008 onwards) or PacketFence, you're pretty much done.

    Using passphrases is asking for a resume-generating-event.

  8. Thanks to pete from:

    catch21 (17th February 2013)

  9. #7

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,044
    Thank Post
    888
    Thanked 1,727 Times in 1,490 Posts
    Blog Entries
    12
    Rep Power
    453
    Are the clients all windows machines?

  10. #8

    Join Date
    Feb 2013
    Posts
    119
    Thank Post
    46
    Thanked 8 Times in 7 Posts
    Rep Power
    5
    Not all devices will be windows. I do want to (safely) open up a staff BYOD SSID for internet-only access plus a guest pass system for bona-fide visitors on a guest SSID. It will predominantly be windows but also Android and Apple devices.

  11. #9

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,044
    Thank Post
    888
    Thanked 1,727 Times in 1,490 Posts
    Blog Entries
    12
    Rep Power
    453
    Why would you setup an access control list for BYOD?

  12. #10

    Join Date
    Feb 2013
    Posts
    119
    Thank Post
    46
    Thanked 8 Times in 7 Posts
    Rep Power
    5
    Because I want to limit it to staff only, rather than have a free-for-all with 500 kids and potentially a couple of hundred parents at any one time.

    This basically shows my lack of knowledge I appreciate, but how else do we retain some sort of control over who is getting onto our network and using our internet access?

    Sorry, just edited to add: not everybody knows everything about everything. Y'all seem to be getting cross with me for being a bit clueless.
    Last edited by catch21; 15th February 2013 at 10:38 PM.

  13. #11

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,044
    Thank Post
    888
    Thanked 1,727 Times in 1,490 Posts
    Blog Entries
    12
    Rep Power
    453
    If thats the case you would be better off setting up some kind of captive portal.

  14. Thanks to FN-GM from:

    catch21 (17th February 2013)

  15. #12

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,816
    Thank Post
    517
    Thanked 2,473 Times in 1,916 Posts
    Blog Entries
    24
    Rep Power
    836
    Whilst the advice about security is good, you have to approach it from a risk assessment point of view. Sure, MAC based auth is easy to get around, but would your kids know about it? Would they have the skills or knowledge to get around it?

    You also want to keep things simple from a management and deployment POV.

    A captive portal is ideal for BYOD, but you also want to make sure you're using some form of encryption too - you don't want your packets being sniffable.

    For internal devices, a captive portal would be a hinderance from a 'accessing server resources' point of view, as they'd have to log in a couple of times before they could get to what they want on network shares etc... Instead, I'd be looking at some form of device authentication for this - either MAC based, or something like 802.1X via radius etc...

    Its all about risk management - what is most likely, what is manageable, what is affordable and what is it you want who to access and be prevented from accessing.

  16. Thanks to localzuk from:

    catch21 (17th February 2013)

  17. #13
    morganw's Avatar
    Join Date
    Apr 2009
    Location
    Cambridge
    Posts
    816
    Thank Post
    46
    Thanked 132 Times in 126 Posts
    Rep Power
    40

  18. #14

    Join Date
    Feb 2013
    Posts
    119
    Thank Post
    46
    Thanked 8 Times in 7 Posts
    Rep Power
    5
    Thanks for the help. I should have explained myself better. I intend to have 3 types of access:

    1) School-owned devices (internet, printers, file servers etc) MAC acl, WPA/WPA2
    2) Staff-owned personal devices (internet only) MAC acl, WPA2
    3) Guest devices (internet only) via Captive Portal, no encryption

    I was trying to build the MAC lists easily for 1).

    But now I see, should I care about guest packets being sniffed?

  19. #15

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,816
    Thank Post
    272
    Thanked 1,138 Times in 1,034 Posts
    Rep Power
    350
    To collect mac addresses shouldn't be too hard - you could probably knock up a script for startup which posts the contents of ipconfig /all to a text file on the file server. I can't remember how in batch you get it to append the same text file though. You should then be able to do a bit of magic in excel to get a list of only the mac addresses.

    For the Guest SSID I would expect the Ruckus system (I'm sure it has) has a feature in which only guests can see the default gateway for internet and nothing else (not any other clients) for added security.

    For the Staff System I would setup for that it uses AD based Auth requesting a username and password.

  20. Thanks to glennda from:

    catch21 (17th February 2013)

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. User Guide to Simplifying BYOD with Ruckus
    By Net-Ctrl in forum Recommended Suppliers
    Replies: 2
    Last Post: 6th December 2012, 11:50 PM
  2. Replies: 12
    Last Post: 16th November 2011, 01:55 PM
  3. Replies: 0
    Last Post: 20th January 2011, 10:06 PM
  4. Bulk creation of users on Mac network ?
    By pinemarten in forum Mac
    Replies: 4
    Last Post: 15th November 2010, 05:01 PM
  5. Replies: 1
    Last Post: 23rd February 2007, 12:26 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •