one centralized MAC address database for wireless network

blastman · 27 Jul 2010 at 10:57

hey all,

I have 5 AP's in my office and do MAC address filtering on our wireless network. I'm sick to the back teeth of having to access each one and enter a MAC address when a new laptop comes in.

Hoe can I have a centralized database of allowed MAC addresses that each AP can query??

I've been reading up on radius servers but tbh, it's not making much sense. I don't really want to go down the whole create certificates and hand them out route. I like the way it is at the mo, I just need it to be more manageable.

Oh, running windows 2003 DC's with mainly XP and win7 clients. Netgear AP's (wg102's, wg103's and a few others)

Any suggestions guys??

Cheers

wij · 27 Jul 2010 at 15:00

Do the AP's support anything remotely clever like RADIUS authentication of clients?

edscdk · 27 Jul 2010 at 15:04

would it not be better just to use a wep / wpa key?

can't mac address' jsut be sniffed from the air?

blastman · 27 Jul 2010 at 15:23

the AP's do have the option to link to a radius server.

I'm playing about with 2003's IAS at the mo, but have noticed that the service keeps stopping so I've had to modify the reg to mark the IAS ports as reversed.

I'll have to wait till later tonight to reboot the boxes and see if that helps.

bigredshark · 27 Jul 2010 at 15:28

Just forget it, MAC address security is pointless in the extreme, it's too easy to sniff addresses and easy to spoof them. Wireless security done right is either a captive portal or a basic WPA key, then that gets you basic internet access, if you want access to internal systems you use a VPN over that.

blastman · 27 Jul 2010 at 15:33

bigredshark said:
Just forget it, MAC address security is pointless in the extreme, it's too easy to sniff addresses and easy to spoof them. Wireless security done right is either a captive portal or a basic WPA key, then that gets you basic internet access, if you want access to internal systems you use a VPN over that.

Ok, but this is for a office internal network. The bosses that be have set the company policy for wireless networks to be MAC address filtered.

Is there an easier way other than IAS/AD security groups or a wireless controller?

bigredshark · 27 Jul 2010 at 18:37

And that's how office wireless should be done and is done at decent organisations. Demonstrate to them googling for instructions and following them to spoof a mac address, then ask them if they still think there's any point in doing it (and if they do, get a new job.

)

J.B · 28 Jul 2010 at 08:39

As usaul I've got to agree with the shark on this one. MAC address filtering has no place in this world and is about as useless as a condom machine in a nunnery. Do you have any encryption running on the network as well? Please say yes and that it is not WEP, otherwise you should probably just unplug the access points now until you figure all this out with your bosses.

If it is just to give people a net connection we tell our clients to firewall it off from the rest of the network and treat the wireless connections as 'dirty' external connections. If you are using wireless for people to connect to internal systems then you really need to review the security implications.

The nature of wireless means that all information is recieved by every client in range and things like source and destination MAC are sent in the clear so it takes literally a couple of seconds to view what a valid MAC is and changing your MAC address is not rocket science by any means. In under 2 minutes someone could be accessing your systems.

If you have 5 APs then you must be covering a reasonable area so Im assuming the company is a reasonable size and has information (either stored on servers or being transmitted) that it wants to protect. Wireless can be a pain to get right at enterprise level, generally the best way to do it is with decent encryption and a RADIUS server or create a VPN tunnel to your internal systems, again this is essentially treating it as an untrusted network.

I often find its easier just to use cabling in most scenarios, but that's just my lazyness!

blastman · 28 Jul 2010 at 09:29

All good points.

Yes it's a fairly large (but awkwardly shaped building) and yes the wireless connections are for people with laptops that are moving about the building who need full access to your network. I have already put cables in all the meeting rooms and other places where's there are likely to be used however some places it's just not possisble.

And Yes, we do also use WPA 2 (TKIP) encryption.

I'm currently just playing with the IAS and AD groups to check MAC addesses. I'm not in charge of IT here and have already made my bosses aware of MAC address spoofing. However, this is thier party so to speak and I just do what I is told.

Has anyone got experince with IAS and MAC address filtering. I can't seem to get it to work.