Hi,

I'm currently negotiating with the IT manager of a big school in Nîmes. He wants to resolve a series of problems. Most of them (like traffic shaping, web content filtering) I know how to deal with, but one question is puzzling me. Is there a way to block smartphones like iPhones from connecting to the school's wifi? On their current hardware (a simple router) every smartphone appears as "iphone2". This router will eventually be replaced by a Slackware gateway/firewall/proxy/filter. DHCP, DNS, NTP and all services will run on this Slackware server.

Any idea if something like that would be possible?

Give everything static IP's only and disable router dhcp server would be the simplest of solutions I would have thought.

MAC address filtering?

There are roughly 300 students, and everyone has a laptop.

300 is not really very many static IPs to hand out and is a pretty simple function for the IT department to manage.

Maybe you should offer to do this for them, for a fee of course and continue to offer consultancy for new and leaving students to keep a tight control on ip allocations. You might even sell it to them as a value added service.

This sounds like a good idea. I'll have to do some research if iptables can filter partial MAC addresses using wildcards.

Hmmm,

Just be careful that the clever students don't resort to mac spoofing which as we know is pretty easy to do.

On a smartphone?

I guess this is the way to go. I just found the following document:

http://www.isalo.org/wiki.debian-fr/...27adresses_MAC

I'll check this out another day, with a clear head.

It is on Android.

BSD packet filters can do OS fingerprinting to block based on source operating system. I'd be surprised if netfilter didn't have something similar, although when it comes to firewalls I stay as far away as possible from the Linux netfilter mess, so I'm afraid I can't be of any more use to you.

;-)

I would let everyone register their laptop, so that you know all allowed laptop MAC addresses.
You can then add host definitions (with pre-defined IP addresses for the registered MAC addresses) for all these computers to your server's dhcpd.conf and put all of them in one pool definition.
All other DHCP clients (the 'unknown' ones) get a separate pool, including characteristics like separate IP address ranges, another default gateway, and perhaps traffic routed through a caching and filtering (transparent) proxy.
Put the IP ranges for the 'unknown' devices in a separate VLAN if the switches support it, and apply different QoS for the unknowns so that registered clients have better speeds, different or no internet filters, and lower latency.

Yes, MAC addresses can be spoofed, but actually if a student can pull that off, I'd know I had to watch him better. You can write some scripts that connect (using nmap for instalce) to IP addresses of registered computers and perform OS fingerprinting on all of them. Then highlight the ones that show non-Slackware or non-Windows OS and talk to the kids to whom the MAC address is registered to.
With some creativity you can set up a system that needs minimal support (you can write a web form to add or delete hosts to the DHCP server configuration and leave the administration to the school's IT manager).

Eric

1 members found this post helpful.

Lets be pragmatics... Do it PPPOE over WLAN. Combine it MAC checking. You got am user/password? First time when you are connected, your MAC is matched with them.

Everyone have an user and password. If one of them make that information public, you/they have an ass to kick.

I'm already using a similar setup in two smaller schools here. While on paper it seems an elegant solution, in everyday's practical life it is quite time-consuming.

Not really time-consuming if you put some effort into automating things. I use something similar in smaller network (~200 users) and apart time spent on building and testing it first, it just works without any extra involvement. Whole "system" consist of one server with web aplication where you can register people and computers, database server and router (Slackware of course) with simple application that create new iptables and dhcpd config from template with data from database, replace actual config files and reload iptables and dhcpd rules. It's event based so rules are reloaded only when needed (no cron involved).