>256 MAC Deny Entries

  • 1
  • Question
  • Updated 11 months ago
  • (Edited)
We have an open guest SSID and a secured production SSID.  All of our devices should be on the production SSID.  Personal devices go on the guest SSID.  The guest VLANs cannot communicate with eachother or our production network and vice-versa.  Devices on that network are also throttled.

We have over 300 iPads.  Our production SSID forces them to enroll in our MDM before they can get out to the internet.  I have noticed users are hitting that point and switching to the guest network to get around it.  I have been booting them off (with a MAC deny entry) as I notice, but I'd like to have a way to just exclude all of those devices from the guest network.  Although I have all of the MACs, the built-in filter only allows for 256 entries.  I started to go the RADIUS route, but it sounds like that only lets me do an "allow" filter rather than a "deny" which obviously won't work.

Any ideas for discouraging this?  I only foresee it being an issue for iPads.  Users don't see any negatives on their end (until it mysteriously no longer connects because I blacklisted them), but I can't manage or track them.

Thanks!
Photo of Joe Stergis

Joe Stergis

  • 3 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Clearly, your users are voting with their feet: 'We'll use the easiest, most frictionless way available to us to get access to the Internet.'.

Your options are therefore to:

1) Implement some granular form of access control on the guest network: PPSKs or a CWP.
(Best option.)

-or-

2) Go down the RADIUS route using an external RADIUS server with MAC address authentication.
(Not so great, MAC addresses can be spoofed and it's higher maintenance. You're always playing whack-a-mole.)

To do this...

After having conditional checks for MAC addresses that you wish to blacklist, you can permit the connection by checking for a Service-Type of Call-Check, a NAS-Port-Type of Wireless/802.11 and for the SSID of your guest network against the Called-Station-Id attribute with a regular expression.

Unfortunately, HiveOS does not currently support using a constant, fixed username and password for MAC address authentication. It will always send the client's MAC-address as the username and password in addition to sending it in the Calling-Station-Id. (Ideally, it would have a configuration option to use a username and password that you supply.)

In NPS this makes things slightly messy therefore.

With that RADIUS server, you would need to configure a catch all CRP to "Accept users without validating credentials" with the right conditions and have a CRP or CRPs ordered before that to match and process locally attempts to authenticate with MAC addresses that you have blacklisted.

Deny CRP:

(Note: I have HiveOS configured to send client MAC addresses delimited with hyphens, this isn't the default. There may be a limit to the length of the Calling-Station-Id condition in which case you would need another CRP. Having hundreds of checks against the Calling-Station-Id via a regular expression isn't going to be the most efficient thing!)



Allow CRP:




Short answer, I suggest not doing this... FreeRADIUS is eminently more configurable so you can easily handle this there.

Hopefully a future HiveOS can get an option to do MAC address authentication via a fixed/constant username and password...
(Edited)
Photo of Joe Stergis

Joe Stergis

  • 3 Posts
  • 0 Reply Likes
Thanks for the detailed reply!

I'm not too concerned about MAC spoofing since I'd be very surprised if any users even think to try that.  If it doesn't connect, they'll stay on the production network and enroll in the MDM (or, at least, ask us for help).

I'm also not too worried about continual maintenance of it, since I have a complete MAC list now and we see all new iPads for inventory purposes before they go out to the users anyway.

One of our servers does have the NPS role.  I installed it and then realized that a MAC blacklist was not as simple as I thought.  It sounds like NPS can do what I want, it's just not as straightforward to setup as an "allow by MAC" method would be.  I can look at FreeRADIUS too.

Realistically, it's a "few and far between" issue because the iOS devices were enrolled by us before the users got them.  It's got to be an issue of the few here and there where the client was removed or isn't working properly so the APs aren't detecting it and aren't letting them access anything other than the enrollment URL.
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
While I remember, you'll need HiveOS 6.1r3 or later to get the Service-Type attribute value of Call-Check being used to specify that MAC address authentication is taking place in the Access-Request packets.
(Edited)
Photo of Steve Glassman

Steve Glassman

  • 3 Posts
  • 0 Reply Likes
Hi Joe-I know this post is over 2 years old but I am in the same boat as you and am curious what you ever ended up doing.  Nick's comments sound great but we're a freeradius shop but I am not a freeradius guru so what he's suggesting is confusing to me.  Ideally we'd simply be able to have the aerohive unit check our freeradius server's blacklist (which we have working fine as part of the authentication piece when the user is at the CWP) but I'd like to prevent them from even being able to connect in the first place....not sure if it's possible or not but I am hoping you guys or someone else might be able to guide me a bit.
Photo of Joe Stergis

Joe Stergis

  • 3 Posts
  • 0 Reply Likes
Hi Steve,

To be honest, I never explored it much.  It quickly became less of an issue for a few reasons:

-Our MDM is now hosted by Casper, so the issue of it not seeing devices that were within our network but on a segregated VLAN is gone.  

-Everything is enrolled in DEP, so that helps to an extent.

-We're using fewer iPads.  Apple dropped the ball again and again with managing shared devices.  Configurator never worked well and any Apple support rep that I've talked to admits it.  School Manager came six years too late and still isn't a great solution because of how managed Apple IDs work.  Beyond that, PearsonAccess (platform used for state assessments) works best on the Chromebooks and would require purchasing keyboards to use with iPads.  Plus, when teachers have experience with both Chromebooks and iPads I find they prefer the Chromebooks almost every time.  They have their place at the lower levels and in certain programs, but we have mostly moved to Chromebooks.
(Edited)