LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Keep smartphones from connecting to a server? (http://www.linuxquestions.org/questions/slackware-14/keep-smartphones-from-connecting-to-a-server-4175494222/)

kikinovak 02-08-2014 12:05 AM

Keep smartphones from connecting to a server?
 
Hi,

I'm currently negotiating with the IT manager of a big school in Nīmes. He wants to resolve a series of problems. Most of them (like traffic shaping, web content filtering) I know how to deal with, but one question is puzzling me. Is there a way to block smartphones like iPhones from connecting to the school's wifi? On their current hardware (a simple router) every smartphone appears as "iphone2". This router will eventually be replaced by a Slackware gateway/firewall/proxy/filter. DHCP, DNS, NTP and all services will run on this Slackware server.

Any idea if something like that would be possible?

vdemuth 02-08-2014 12:30 AM

Give everything static IP's only and disable router dhcp server would be the simplest of solutions I would have thought.

willysr 02-08-2014 12:50 AM

MAC address filtering?

kikinovak 02-08-2014 03:08 AM

Quote:

Originally Posted by vdemuth (Post 5113812)
Give everything static IP's only and disable router dhcp server would be the simplest of solutions I would have thought.

There are roughly 300 students, and everyone has a laptop.

vdemuth 02-08-2014 03:32 AM

300 is not really very many static IPs to hand out and is a pretty simple function for the IT department to manage.

Maybe you should offer to do this for them, for a fee of course and continue to offer consultancy for new and leaving students to keep a tight control on ip allocations. You might even sell it to them as a value added service.

kikinovak 02-08-2014 03:48 AM

Quote:

Originally Posted by willysr (Post 5113814)
MAC address filtering?

This sounds like a good idea. I'll have to do some research if iptables can filter partial MAC addresses using wildcards.

vdemuth 02-08-2014 01:40 PM

Hmmm,

Just be careful that the clever students don't resort to mac spoofing which as we know is pretty easy to do.

kikinovak 02-08-2014 01:56 PM

Quote:

Originally Posted by vdemuth (Post 5114058)
Hmmm,

Just be careful that the clever students don't resort to mac spoofing which as we know is pretty easy to do.

On a smartphone?

kikinovak 02-08-2014 01:57 PM

Quote:

Originally Posted by willysr (Post 5113814)
MAC address filtering?

I guess this is the way to go. I just found the following document:

http://www.isalo.org/wiki.debian-fr/...27adresses_MAC

I'll check this out another day, with a clear head.

bosth 02-08-2014 02:07 PM

Quote:

Originally Posted by kikinovak (Post 5114064)
On a smartphone?

It is on Android.

gezley 02-08-2014 02:41 PM

Quote:

Originally Posted by kikinovak (Post 5113808)
Hi,

I'm currently negotiating with the IT manager of a big school in Nīmes. He wants to resolve a series of problems. Most of them (like traffic shaping, web content filtering) I know how to deal with, but one question is puzzling me. Is there a way to block smartphones like iPhones from connecting to the school's wifi? On their current hardware (a simple router) every smartphone appears as "iphone2". This router will eventually be replaced by a Slackware gateway/firewall/proxy/filter. DHCP, DNS, NTP and all services will run on this Slackware server.

Any idea if something like that would be possible?

BSD packet filters can do OS fingerprinting to block based on source operating system. I'd be surprised if netfilter didn't have something similar, although when it comes to firewalls I stay as far away as possible from the Linux netfilter mess, so I'm afraid I can't be of any more use to you.

;-)

Alien Bob 02-08-2014 03:01 PM

I would let everyone register their laptop, so that you know all allowed laptop MAC addresses.
You can then add host definitions (with pre-defined IP addresses for the registered MAC addresses) for all these computers to your server's dhcpd.conf and put all of them in one pool definition.
All other DHCP clients (the 'unknown' ones) get a separate pool, including characteristics like separate IP address ranges, another default gateway, and perhaps traffic routed through a caching and filtering (transparent) proxy.
Put the IP ranges for the 'unknown' devices in a separate VLAN if the switches support it, and apply different QoS for the unknowns so that registered clients have better speeds, different or no internet filters, and lower latency.

Yes, MAC addresses can be spoofed, but actually if a student can pull that off, I'd know I had to watch him better. You can write some scripts that connect (using nmap for instalce) to IP addresses of registered computers and perform OS fingerprinting on all of them. Then highlight the ones that show non-Slackware or non-Windows OS and talk to the kids to whom the MAC address is registered to.
With some creativity you can set up a system that needs minimal support (you can write a web form to add or delete hosts to the DHCP server configuration and leave the administration to the school's IT manager).

Eric

Darth Vader 02-08-2014 03:27 PM

Lets be pragmatics... Do it PPPOE over WLAN. Combine it MAC checking. You got am user/password? First time when you are connected, your MAC is matched with them. ;)

Everyone have an user and password. If one of them make that information public, you/they have an ass to kick.

kikinovak 02-08-2014 03:30 PM

Quote:

Originally Posted by Alien Bob (Post 5114088)
I would let everyone register their laptop, so that you know all allowed laptop MAC addresses.
You can then add host definitions (with pre-defined IP addresses for the registered MAC addresses) for all these computers to your server's dhcpd.conf and put all of them in one pool definition.

I'm already using a similar setup in two smaller schools here. While on paper it seems an elegant solution, in everyday's practical life it is quite time-consuming.

yenn 02-09-2014 11:05 AM

Quote:

Originally Posted by kikinovak (Post 5114102)
I'm already using a similar setup in two smaller schools here. While on paper it seems an elegant solution, in everyday's practical life it is quite time-consuming.

Not really time-consuming if you put some effort into automating things. I use something similar in smaller network (~200 users) and apart time spent on building and testing it first, it just works without any extra involvement. Whole "system" consist of one server with web aplication where you can register people and computers, database server and router (Slackware of course) with simple application that create new iptables and dhcpd config from template with data from database, replace actual config files and reload iptables and dhcpd rules. It's event based so rules are reloaded only when needed (no cron involved).


All times are GMT -5. The time now is 04:50 AM.