Blacklist wireless client by hostname?

  • 1
  • Question
  • Updated 5 years ago
  • Answered
How do I block a client by hostname, or block a range of MAC addresses (ie. Virtual Server random MAC addresses). I have a few "enterprising" students that have setup VM's on their laptops and is using those VM's to bypass some of the software restrictions we use.

In the long term we will be switching to a 802.1x wifi config, but as I understand it, if a user sets up an 802.1x PEAP wireless profile and chooses to not validate the server cert, they can still authenticate with their user credentials. So I need some way to blacklist that computer, unless there is something else that can be done in these cases?
Photo of dreadirester


  • 8 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
If there is will there is a way.

802.1X will provide the framework for your desires.

I would recommend 2 books

CWNA: Certified Wireless Network Administrator Official Study Guide: Exam PW0-105, 3rd Edition

By: David D. Coleman; David A. Westcott


CWSP® Certified Wireless Security Professional Official: Study Guide

By: David D. Coleman; David A. Westcott; Bryan E. Harkins; Shawn M. Jackman
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Kudos to your students. I was "banned" from the computer lab in my last year of school due to my reputation but it is these type of students who will become the real engineers of the future.

I would recommend using an EAP type, such as EAP-TLS, that requires both server and client side certificates. EAP-PEAP only uses server side certificates and this can make it vulnerable to certain attacks. If you use EAP-PEAP and a local certificate, rather than a public one, then the supplicant (client) can be configured to bypass the certificate security as you have already noted. If you use a certificate signed by a public CA with EAP-PEAP then all clients will trust it anyway.

For an excellent book on wireless security and how to get around it I recommend "BackTrack 5 Wireless Penetration Testing" by Vivek Ramachandran (ISBN 978-1-849515-58-0).
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Per the spec, EAP-PEAP can wrap/tunnel any other EAP type - the restriction is that it has to be an EAP type. (This is unlike EAP-TTLS that is more permissive in what it will carry.)

As such, what EAP-PEAP tunnels is then implementation dependent.

Both EAP-MS-CHAP-v2 and EAP-TLS are offered under Windows as in the inner-EAP, so you can use client certificates via EAP-PEAP there, but this is not commonly supported on other platforms.
Photo of dreadirester


  • 8 Posts
  • 0 Reply Likes
Thanks. I have done a fair bit of additional research and it looks like my options are to use PEAP with computer authentication, so that users can't authenticate a non domain-joined device, or to use (P)EAP-TLS. As we are a small school and (P)EAP-TLS seems to be a bit more complicated, I think we'll try computer authentication first. I have the advantage that I am still testing 802.1x, so I can play with the various options a bit.

On a further note, I liked the article that Crowdie posted a while back about implementing a dependency check in the user profile, thereby chaining the user authentication to the computer authentication. This would allow us to shut out non domain-joined devices and also have user-level reporting and filtering. It's a good read and would be interesting if it was implemented.