Author Topic: Denying DHCP leases by MAC Address  (Read 3500 times)

Ppbottle

  • Zen Apprentice
  • *
  • Posts: 16
  • Karma: +3/-0
    • View Profile
Denying DHCP leases by MAC Address
« on: February 21, 2018, 09:10:35 pm »
Hi,

I am using Zentyal server at my school and unfortunately, no matter how many times I change the WiFi password, the students always manage to find out what it is and clog up our rather slow internet connection with their phones.

I'd like to be able to find a way to deny them access to the network in a way that they can't get around and am wondering if it is possible to deny them IP Addresses through DHCP by their MAC address.

Does anyone know how this can be done, or if there is a better way of booting them off my network (or stopping them from getting on it in the first place)?

julio

  • Guest
Re: Denying DHCP leases by MAC Address
« Reply #1 on: February 22, 2018, 05:26:08 pm »
Hi Ppbottle,

you need to change the dhcp server config,
make a new class (black-hole) and add the blocked addresses by subclasses
(for example: subclass "black-hole" 00:11:22:33:44:55;):

make dhcp server config file stubs:
Code: [Select]
sudo mkdir /etc/zentyal/stubs/dhcp
sudo cp /usr/share/zentyal/stubs/dhcp/dhcpd.conf.mas /etc/zentyal/stubs/dhcp/dhcpd.conf.mas

open "dhcpd.conf.mas" with nano editor:
Code: [Select]
sudo nano /etc/zentyal/stubs/dhcp/dhcpd.conf.mas

add lines to end of file (customise the subclass "black-hole"):
Code: [Select]
class "black-hole" {
    match substring (hardware, 1, 6);
    # deny booting;
    ignore booting;
}
subclass "black-hole" 00:12:ba:1d:c1:b7;
subclass "black-hole" 00:12:df:b6:7b:e7;

save and exit:
Code: [Select]
ctrl+o, ctrl+x
dhcp service restart:
Code: [Select]
sudo zs dhcp restart
reference:
https://lists.isc.org/pipermail/dhcp-users/2010-July/012024.html
« Last Edit: February 22, 2018, 06:00:51 pm by julio »

Ppbottle

  • Zen Apprentice
  • *
  • Posts: 16
  • Karma: +3/-0
    • View Profile
Re: Denying DHCP leases by MAC Address
« Reply #2 on: February 27, 2018, 10:21:27 pm »
Thank You Julio  I appreciate the help. I'm trying it out and will get back to you with what happens. DHCP leases are set for a week at the moment so we will see when that time is up if they can renew the lease or not

Ppbottle

  • Zen Apprentice
  • *
  • Posts: 16
  • Karma: +3/-0
    • View Profile
Re: Denying DHCP leases by MAC Address
« Reply #3 on: April 20, 2018, 08:54:03 pm »
Thanks Julio, it worked!
« Last Edit: April 20, 2018, 11:24:24 pm by Ppbottle »

julio

  • Guest
Re: Denying DHCP leases by MAC Address
« Reply #4 on: April 21, 2018, 01:34:23 pm »
i'm glad to help you! :)

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Denying DHCP leases by MAC Address
« Reply #5 on: May 06, 2018, 10:42:16 pm »
Another way to solve the problem is to allow connections to Zentyal from a permitted network object using firewall rules.  Switching to radius authentication also might be very informative as to how the students are getting the passwords.

julio

  • Guest
Re: Denying DHCP leases by MAC Address
« Reply #6 on: May 06, 2018, 10:56:32 pm »
Another way to solve the problem is to allow connections to Zentyal from a permitted network object using firewall rules.  Switching to radius authentication also might be very informative as to how the students are getting the passwords.

or use pfSense and just working all such things out-of-the-box... ;)