![lan blacklist mac address lan blacklist mac address](https://www.cisco.com/c/dam/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config-05.gif)
Normally that would be done via a webpage the wireless router will redirect traffic to. That way even though users may have the wireless key they still can not get on the wireless until they authenticate. Then either create generic guest account or a guest account on a case by case basis. Otherwise incorporate LDAP or some other centralised authentication system as soon as possible (local user accounts are a bad idea in most cases). You should also look into linking wireless authentication with an LDAP server, assuming you already use something like that it should be easy. If you make the script run every few minutes then the time the unauthorized device can be on the network is minimal, that could be an acceptable trade-off. I've seen this problem before and the solution I found in use was pretty much the same as what you're already using. I save this, then I add the Execute bit with chmod +x /usr/local/sbin/dhcpd-macblock.py, and set a cron job that feeds the blacklist into the script every hour: cat /etc/blacklist.txt | dhcpd-macblock.pyĮvery hour, it goes through, creating a new file with all the MAC addresses blocked that I don't want, and they don't even get a DHCP reservation, and my spots are slowly freeing up.Īs far as I know it is not possible to do except to use something like etables as was suggested, with the additional bookkeeping. Print OUT "subclass \"blacklist\" 1:$i \n" In my /etc/dhcp/nf file, I create a new class near the top: class "blacklist" )$/) $_) It takes the regular blacklist (one MAC address per line) that I also spit into iptables, and just creates the new pool. One of the other techs helped me make a script to parse through the blacklist of IP Addresses, and add them to a new pool, which gives out no IP address whatsover.
LAN BLACKLIST MAC ADDRESS UPDATE
I want to be able to update the MACs in one file, and then possibly run a script that will add the changes to my DHCP file, and my iptables rules.Īlthough I think using ebtables may be the answer, it's another layer that I did not want to add to my configuration. This would work, but requires updating the MAC addresses in multiple places, which I don't want. One solution (well, partial) that someone thought up was to create a blackhole class in my /etc/dhcp/nf file, and fill it with the MAC addresses of the devices I don't want connecting. Yes, I know I could increase the range on my DHCP server, but I want management to realize the struggle with managing the privately-owned devices taking up our work resources by connecting and bypassing our captive portal. So, my issue is, how can I prevent them from even getting an IP address assigned to them? Yes, I know they could just assign themselves a static IP address and bypass the DHCP server, but I still want iptables to block them, based on their (hopefully non-changing) MAC address. Unfortunately, it does not take effect until after the device has gotten an IP address from isc-dhcp-server. This will prevent their device from connecting to our network resources, and to the Internet. I update /etc/blacklist.txt, and when iptables starts, it executes iptables -A INPUT $if -m mac -mac-source $i -j DROP (with $i being read from the file). With these scripts, I can create a blacklist of MAC addresses and iptables blocks them for me. I have scripts (written by other team members, not myself!) that go through the DHCP leases on Debian Wheezy, and spit out the manufacturer, the DNS name, IP Address, and the MAC address of all the devices the DHCP server interacts with. The key has been leaked long before I came to this job, and I have most things cleaned up. On the Public side, the users need to authenticate with a captive portal with a username/password combo from our server (for our staff's personal devices only).
![lan blacklist mac address lan blacklist mac address](https://s23429.pcdn.co/wp-content/uploads/2017/03/asus-rt-ac68u-3.0.0.4.385_20490-admin-click-lan.jpg)
The Private side has access to see other computers, the printers, servers, and access to the Internet. At my workplace, we have a Public Wifi network, as well as our Private Wifi network.