Jump to content

block Apple products (ipods and iphones ) on wireless

bart21

By bart21
in Windows

 Share

Recommended Posts

bart21

bart21

Posted
Posted

hi

 

is there any way of denying apple products as listed above on to the wireless network.

 

the kids keep connecting with them and it then disconnects the teacher laptops in that area.

 

the network is secured with peap authenticated on a radius server, but they just use their domain login name to get on.

 

i haad thought of certificate security but know little about this.

 

is there any easy way to ban the mac address?

 

i dont really want to have to type it into every ap as we have nearly 50

 

Does anyone else have this problem?

 

thanks

 

nick

sted

sted

Posted
Posted
simplest way (sort of) would be to only allow computers with known mac ids connect to the wireless but it would mean tracking down the mac address of every authorised pc/laptop etc and adding it to shitelist and if its not a managed wireless system adding a potentially large list of stations to a large list of aps
  • Thanks 1
FN-GM

FN-GM

Posted
Posted
simplest way (sort of) would be to only allow computers with known mac ids connect to the wireless but it would mean tracking down the mac address of every authorised pc/laptop etc and adding it to shitelist and if its not a managed wireless system adding a potentially large list of stations to a large list of aps

 

I would do this as well as your Encryption not instead of.

 

Z

  • Thanks 1
Dos_Box

Dos_Box

Posted
Posted
simplest way (sort of) would be to only allow computers with known mac ids connect to the wireless but it would mean tracking down the mac address of every authorised pc/laptop etc and adding it to shitelist and if its not a managed wireless system adding a potentially large list of stations to a large list of aps

 

The easiest way of doing this is to download either use Spiceworks or downlaod the free 30 day trial of NetSupport Manager DNA. This will list all Mac adresses of clients and NetSupport DNA will allow you export this list to CSV etc.

  • Thanks 1
FN-GM

FN-GM

Posted
Posted
The easiest way of doing this is to download either use Spiceworks or downlaod the free 30 day trial of NetSupport Manager DNA. This will list all Mac adresses of clients and NetSupport DNA will allow you export this list to CSV etc.

 

Thanks for the tip. I always thought you had to install a client for NetSupport DNA

  • Thanks 1
sted

sted

Posted
Posted
I would do this as well as your Encryption not instead of.

 

Z

 

well yes if for no other reason than it saves going round changing wireless settings on computers

  • Thanks 1
AngryITGuy

AngryITGuy

Posted
Posted
simplest way (sort of) would be to only allow computers with known mac ids connect to the wireless but it would mean tracking down the mac address of every authorised pc/laptop etc and adding it to shitelist and if its not a managed wireless system adding a potentially large list of stations to a large list of aps

 

Agreed you could lock down connectivity to the wireless network by adding the MAC address of known machines to the APs in question. If the wireless isn't managed its going to take a while to do considering you have 50 APs.

 

An alternative solution and one we have depolyed here is to use the MacFilterCallOut DLL on your DHCP server.

 

Its a DLL released by the Microsoft DHCP Team that will allow you to either allow or deny a specific set of MAC addresss to obtain an IP address from DHCP.

 

Easier to manage in theory as its only implemented on one device on your network, the allow or deny list of MAC addresses is a basic text file of MAC addresses which you can create by exporting the leases from you DHCP server.

 

Details can be found here

 

Rather than having an allowed list you could deny the problematic Apple products on your network assuming you know the MAC addresses for them if you want to put something in place quickly on your network.

 

Hope this helps.

  • Thanks 1
AngryITGuy

AngryITGuy

Posted
Posted
The easiest way of doing this is to download either use Spiceworks or downlaod the free 30 day trial of NetSupport Manager DNA. This will list all Mac adresses of clients and NetSupport DNA will allow you export this list to CSV etc.

 

Unless I am missing something here :confused: I am sure it would be easier to just export the list of DHCP leases from the DHCP server assuming one exists on the school network?

 

This gives you an output containing client name, IP and MAC address. Assuming bart21 has the names of all authorised devices on the network he should be able to filter out the rogue devices.

  • Thanks 1
sted

sted

Posted
Posted
Unless I am missing something here :confused: I am sure it would be easier to just export the list of DHCP leases from the DHCP server assuming one exists on the school network?

 

This gives you an output containing client name, IP and MAC address. Assuming bart21 has the names of all authorised devices on the network he should be able to filter out the rogue devices.

 

only slight issue with that is you may end up adding a pc twice once its wired connection and once its wireless

  • Thanks 2
AngryITGuy

AngryITGuy

Posted
Posted
only slight issue with that is you may end up adding a pc twice once its wired connection and once its wireless

 

Good point, I thought there was something I was missing.

  • Thanks 1
sted

sted

Posted
Posted
Good point, I thought there was something I was missing.

 

i dont see it as a major problem though really just means a list thats longer than needs be and could be paired down if you know all your wireless cards are intel say than if the first 4 digits say broadcom it should be a wired card

  • Thanks 1
Oops_my_bad

Oops_my_bad

Posted
Posted

Unfortunately using whitelists/radius etc will not work.

 

There is something very wrong with Apple's implementation of wireless which (not intentionally?) causes a denial of service to certain vendors access points when they try to connect, which also explains why your teacher laptops are being disconnected when these ipods/phones connect. Your access point is spazzing out.

computer_expert

computer_expert

Posted
Posted (edited)

is there a wildcard function that will allow you to block the Apple [ame=http://en.wikipedia.org/wiki/Organizationally_Unique_Identifier]OUI[/ame]?

 

ie. block 00:25:4B:**:**:** and it should block all Apple devices connecting just like blocking *.bbc.co.uk in a url filter would block the entire BBC range of subdomains?

 

edit: i'm talking about MAC addresses here just incase anyone wonders

Edited by computer_expert
bonald

bonald

Posted
Posted

What we do here :

 

We have two SSID.

 

SSID1

Our RADIUS server only allow domain joined computers to connect (computer authentication).

 

SSID2

Guest-WLAN, RADIUS server only allow the Staff group to connect via a form based-authentication.

 

That way students can only use school computers on our WLAN, no ipod/iphone.

Cue

Cue

Posted
Posted
Unfortunately using whitelists/radius etc will not work.

 

There is something very wrong with Apple's implementation of wireless which (not intentionally?) causes a denial of service to certain vendors access points when they try to connect, which also explains why your teacher laptops are being disconnected when these ipods/phones connect. Your access point is spazzing out.

 

Do you have any links to something more in-depth regarding this? I'm intrigued...

 

To the OP, I'd try to avoid locking down your Wi-Fi too much, I'm just speaking here as someone who likes to promote a more open and friendly environment, but once you start locking it down too much things get messy and staff get annoyed, I don't know of many schools where locking down any non-school equipment goes down well (don't even allow staff laptops on the Wi-Fi at mine, annoyingly).

maniac

maniac

Posted
Posted (edited)
i haad thought of certificate security but know little about this.

 

is there any easy way to ban the mac address?

 

i dont really want to have to type it into every ap as we have nearly 50

 

Does anyone else have this problem?

 

thanks

 

nick

 

Just use machine only authentication instead of user authentication, you don't even need certificates. Our RADIUS secured wireless system only lets devices with an authorised account in AD connect, user authentication is disabled.

 

If you're using IAS as your authentication server it's a doddle. It also stops the issues you sometimes get when the machine changes from machine based to user based authentication at login when setup using the IAS defaults.

 

IF you're using another RADIUS server however, I'm not sure if you can do it. IAS is the most popular if you don't have a managed system like Cisco with it's own RADIUS server built in.

 

Mike.

Edited by maniac
  • Thanks 1
maniac

maniac

Posted
Posted

To be honest, it was so long ago when I set this up I can't remember precisely all the steps - IAS and RADIUS is quite complex to get working, I seem to remember it took a lot of fiddling.

 

Effectively it's the policy conditions in IAS you can change to allow authentication only if certain conditions are met. I created a group and called it 'Allow wireles connection' which I added all our wireless devices to - I then set the policy conditions to state 'NAS-Port-Type matches "Wireless - other OR Wireless - IEE 802.11" AND Windows-Groups matches "Allow Wireless Connection" - this ensures only devices that meet those two conditions are authenticated.

 

I also changed our wireless group policy so it is set for Computer Only authentication - there's a box in there somewhere to do this. It did take me a little while to get this working properly, but now it is we have very few wireless problems in this school, and our access points are pretty old Cisco 1200 series ones.

 

Incidently my wireless system doesn't even prompt for a username and password if un-authorised people try and connect to it now, it just sits there saying 'authenticating' then fails.

 

Mike.

  • 1 year later...
gmarshall5000

gmarshall5000

Posted
Posted
Does this throw staff laptops off or just severely delay their connection? We have RM laptops, connecting wirelessly (getting an IP address), but then failing to get mapped drives, because Location Chooser (an RM program) cannot access Active directory objects

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


  • 8 When would you like EduGeek EDIT 2025 to be held?

    1. 1. Select a time period you can attend


      • I can make it in June\July
      • I can make it in August\Sept
      • Other time period. Please comment in the thread what works for you
      • Either time
×
×
  • Create New...