Topic: LAN access restriction via MAC address

[stdean]

I searched through the forum and found a couple of threads similar to what I'm looking for but not covering exactly what I want (unless I misunderstood something).

Is is possible to restrict machines from connecting to a network via MAC address? I want to limit it so that only machines that our company has purchased or approved of can connect to our network, i.e. stop people from bringing their home laptops into the office and using network resources.

I am not trying to just limit internet access via mac address, I want to stop a device from getting an IP based on it's MAC address not being on a pre-approved list.

Any ideas?

Conor

[raem]

stdean

You could make the list of IPs very small (ie 1) that is available for the DHCP server to issue & configure all workstations except one, with a fixed IP.
That way there would be no IPs available for extra unofficial workstations to lease.

[stdean]

Hmmm, but if the person turned off DHCP on their unofficial workstation and assigned it a static IP (one that has not already been taken) they would be able to get onto the network, wouldn't they?

[CharlieBrady]

Hmmm, but if the person turned off DHCP on their unofficial workstation and assigned it a static IP (one that has not already been taken) they would be able to get onto the network, wouldn't they?

Yes, and there's nothing SME server can do about that.

[mmccarn]

I think you're looking for 802.1x Authentication for your network, but I have no idea how to do this on SME...

[CharlieBrady]

I think you're looking for 802.1x Authentication for your network, but I have no idea how to do this on SME...

Yes, 802.1x is the right technology, but it needs to be done on the switch.

[Confucius]

Squid has this option.

http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-f5a9a7efc69525f1e3d928b725cced0f7822e451

This is still not the perfect solution because even the MAC-address can be changed in the system if they really want to use the proxy but it's the best option without using hardware.

Tried to apply the given example, seems that Squid hasn't been compiled with arp support :

squid: aclParseAclLine: Invalid ACL type 'arp'

[CharlieBrady]

Squid has this option.

No, it doesn't. Squid can't do anything to prevent random computers from accessing the local network. 802.1x  implemented in the L2 switch can.

[Stefano]

Squid has this option.

No, it doesn't. Squid can't do anything to prevent random computers from accessing the local network. 802.1x  implemented in the L2 switch can.

maybe packetfence can do the work.. but it's not trivial

http://www.packetfence.org/wiki/index.php?title=CentOS_4_HOWTO
http://www.linuxjournal.com/article/9551

HTH

Stefano

p.s. I'll study it and try to create a contrib

[haymann]

maybe packetfence can do the work.. but it's not trivial

http://www.packetfence.org/wiki/index.php?title=CentOS_4_HOWTO
http://www.linuxjournal.com/article/9551

HTH

Stefano

p.s. I'll study it and try to create a contrib

Be sure to keep us posted! I have heard great things about PacketFence, and to get it running on SME would (imo) be a great help to many of us.

[CharlieBrady]

maybe packetfence can do the work.. but it's not trivial

Indeed. Unless you have a very large and busy network, then it will be less work to inform your users of the rules, monitor your logs, and apply the cluebat when/if abuse occurs.

arpwatch might help you to identify visiting computers.

[stdean]

Well, out network is about 40+ machines which will most likely be doubling in the coming months, it's also a remote location so I cant really keep an eye on it.

I've just downloaded arpwatch, and it seems to compile fine on SME. It looks like something I could use though, and I think it could be the solution I was looking for. If I cant stop people from from connecting to the network, I can at least keep an eye on when people are coming in and out.

Conor

[Stefano]

Well, out network is about 40+ machines which will most likely be doubling in the coming months, it's also a remote location so I cant really keep an eye on it.

I've just downloaded arpwatch, and it seems to compile fine on SME. It looks like something I could use though, and I think it could be the solution I was looking for. If I cant stop people from from connecting to the network, I can at least keep an eye on when people are coming in and out.

Conor

Packetfence is very difficult to be installed on sme because of its dependencies and setup script.

BTW, look at this: http://dag.wieers.com/rpm/packages/arpalert/

Monitor ethernet networks.
arpalert listens on a network interface (without using 'promiscuous' mode) and catches all conversations of MAC address to IP request.

It then compares the mac addresses it detected with a pre-configured list of authorized MAC addresses. If the MAC is not in list, arpalert launches a pre-defined user script with the MAC address and IP address as parameters. This software can run in daemon mode; it's very fast (low CPU and memory consumption).

Latest release: 2.0.6-1

Website: http://www.arpalert.org/

HTH

Ciao

Stefano

[stdean]

nenonano, arpalert is great. I've gotten it installed and I think I've figured out enough to get it to do what I want it to do.

One question....I'm currently testing it on a test machine on my network and it's picking up the macs of machines coming on and off the network....If I'm using my sme as the internet gateway/dns server/dhcp server (which my test machine is not) is it 100% necessary to run arpalert on that, i.e. can I just install it on any machine on my network and it will do the same job as if it were on the DHCP server?

Or am I missing something here...?

Conor

[Stefano]

nenonano, arpalert is great. I've gotten it installed and I think I've figured out enough to get it to do what I want it to do.

One question....I'm currently testing it on a test machine on my network and it's picking up the macs of machines coming on and off the network....If I'm using my sme as the internet gateway/dns server/dhcp server (which my test machine is not) is it 100% necessary to run arpalert on that, i.e. can I just install it on any machine on my network and it will do the same job as if it were on the DHCP server?

Or am I missing something here...?

Conor

IMHO opinion you must install it on your gateway so you can block internet access or whatever

my 2 c

Ciao

Stefano