Banning Mobile Devices from WiFi

Bump for intrest

A mask for mac address, or analyze the os with nmap and poisoning the arp to cut them out.

>>58770197
Just ditch wifi and use Ethernet like a sensible person.

>>58770346
I would but our office is filled with people who are demanding wifi.

>>58770368
They can get fucked. It's a wide open security risk. Monitor the office for wireless dongles too. Then get the employee fired for allowing a virus into the network.

File: dont-touch-me.jpg (39KB, 400x400px) Image search: [Google]

39KB, 400x400px

>>58770197
Yes but it would be too advanced for you, and I can't be bothered to smash bits of knowledge and feed you

>>58770452
>>58770412
Wish I could, I watch hak5 and I get that it's not a great idea guys, but I have to keep it because the office just dropped 8 grand on our update with 2 wifi access points and a sonicwall firewall. I just need the answer for filtering mobile devices without knowing their mac.

>>58770488
Fuck-off or give me the break down of it,

it can be done but you'll need to send me buttcoins before i teach you how to do it :^)

>>58770197
Ignoring spoofing, MAC addresses are your best bet here. After that, tcp fingerprinting, which you generally do a port scan to get enough info to do. If you force users to a clickthrough, you could do user agent detection.

>>58770551
Thanks man
I'm using a SonicPoint. I was thinking I might need to get a Maraki

>>58770551
MAC filtering of any kind is completely worthless and doesn't gain you anything. It's trivial to spoof MAC addresses.

>>58770580
It's more than enough to stop the mass of people that go "GIB WIFI PASSWORD PLOX"

>>58770580
I'm not dealing with any geniuses at our site.'
It could be argued that they're retarded actually.

>>58770197
Radius server.

>>58770197
>>>58770551
>MAC filtering of any kind is completely worthless and doesn't gain you anything. It's trivial to spoof MAC addresses.
Trivial on Linux & windows. Quite a bit harder on mobile devices, especially if you don't jailbreak. Add to the fact that almost no iPhone users bother to jalbreak, and many Android users don't either, and you'll catch most users. The sad thing is, the same goes for computer users, even though they can spoof so much more easily. People are lazy. Never forget that.

Anyway, it's not foolproof, it just weeds out %90+ for you. You do this in layers.

>>58770674
>>58770606
>>58770593
I suppose it keeps out the most casual of users, but MAC filtering of any kind should not be considered security in any sense.

>>58770700
>>58770674
Yeah we're all still stuck on MACs.
C'mon guys I need something more fancy to identify Devices other than a windows machine and reject their connection.

>>58770726
Identify browsers. Safari.

>>58770726
Most devices aren't just going to leak their operating system details to you over the network.

>>58770745
User agents are completely trivial to spoof as well, even more so than MAC addresses.

>>58770745
Android and iOS both can use Chrome.

>>58770754
But when was the last time you were booted from a network because of your browser. People won't pick it. And security should never just be one thing but a combination of methods and fail-safes.
>>58770755
Chrome should be auto boot as well.

This is driving me nuts.
Can someone explain how TCP finger printing?

>>58770794
http://lmgtfy.com/?q=how+to+TCP+finger+print

>>58770794
Here you go: https://nmap.org/nmap-fingerprinting-article.txt

File: 4L_8Php6u1R.jpg (25KB, 480x360px) Image search: [Google]

25KB, 480x360px

If you're cutting out the non-tech savvy 90% of users then are you really worried about the remaining 10% of people (who know their shit) bringing malware into the network?

>>58770197
Yes

>>58770755
The user agent strings for mobile Chrome and desktop Chrome are very much distinct from each other.

Certificate based authentication for domain devices.

>>58770197
Use a capitve portal with js. Get the screen width. If the width is less than a laptop then disable the confirm button.

This is complicated though
It will require captive portal software web servers, etc.

>>58770197
Cisco Identity Services Engine should be able to do this.

We have it at work and use it to appropriately assign certificates on a per-device basis, but I'm sure you could have it configured to block certain devices.

It does it via some proprietary black magic I don't quite understand (I'm switching/routing/VOIP not ISE skilled) to create device signatures based on some shit. Not sure. Do some reading if you're interested, but such a solution is gonna cost money, especially if you're buying Cisco.

>>58772547
Me again. As an extension to this, get a proper engineer to help with a good support contract.

If you're not already a Cisco shop it might be a bit harder to implement, I'm sure it uses CDP somehow and has some shit that only works on Cisco WAPs but I'm not sure so. But if you want a way to do it in a corporate environment, try it out.

>>58770628
THIS RIGHT HERE OP

run AAA with protocol(s) that can detect OS's on devices. I'd talk to someone at Cisco

>>58770197
>>58770579

Cisco Meraki has this as a feature. Bet a lot of other manufacturers do as well.

>>58770628
This is another good piece of advice and you should be doing it (or some other form of 802.11x auth) as part of your wireless deployment.

>>58770197
you're an idiot and don't know how MAC addresses are allocated
>hint it's by company/device type

>>58770197
May I know why? Not being snarky here. Just curious. Couldn't you have the wifi as a separate network so that your users can browse Reddit and not install viruses on your workstations?