Freeradius is a common tool if someone wants to set up an enterprise WiFi authentication. But if it's in a public institude, e.g. a school, sooner or later your WiFi users' passwords will leak out and after password changes your logs get full of incorrect logins from the mischievous studends. Solution: build a script that scan the logfile for incorrect logins and ban the MAC addresses of those devices. Here is a little help on how to start thinking:
add the following to your /etc/freeradius/modules/files
files rejectmac {
key = "%{Calling-Station-ID}"
usersfile = ${confdir}/rejectmacaddress.txt
compat = no
}
add the following to authorize{} section of your /etc/freeradius/sites/sites-enabled/default
rejectmac
if (ok) {
reject
}
create a new file /etc/freeradius/rejectmac.conf and add
passwd rejectmac {
filename = /etc/freeradius/rejectmacaddress.txt
delimiter = ,
format = "*Calling-Station-Id"
}
create a new file /etc/freeradius/rejectmacaddress.txt and fill it with the kiddies MACs like this
78-F8-82-F3-8F-58,B4-CE-F6-4D-74-93,B0-45-19-C6-17-D1,50-F0-D3-1D-42-CE,00-5A-05-90-08-FE,88-07-4B-D1-17-15
add this to the beginning of your radiusd.conf
$INCLUDE rejectmac.conf
restart your freeradius daemon and get ready to go home.
szia!
VálaszTörlésIskolai rendszergazdaként ugyanezzel a problémával küzdök. (Egyébként az ebookos tutoriálod révén jutottam el a blogodra.) Milyen rendszeren lehet ezt megcsinálni? Illetve egesével elkéregeted a kölykök telefonjait a mac címek miatt? légyszives ide válaszolj: elistvan kukac gmail pont com Köszi! István
Ja hoppá látom linux, a tagekből. Esetleg van windowsos megoldásod is a problémára?
Törlés