Solved

How to block rogue Mac addresses from authentication attemps!!

Posted on 2008-06-17
7
1,011 Views
Last Modified: 2013-11-09
We have a wireless network installed, using HP products, we have a WESM, HP 2800, 5300xl, 5406zl switches, and HP 2300 radio ports. We are using a radius server, and mac authentication to control access. The problem is, that anybody with a wifi device coming into our network, continously trys to authenticate... usually about 200times per hour. This fills up all our loggs and ruins realtime information in procurve. Is there a way to select mac addresses and block them from interrogating the network?? Or at least stop procurve from looking at them??
0
Comment
Question by:gpccit
  • 3
  • 3
7 Comments
 
LVL 13

Expert Comment

by:kdearing
ID: 21810076
You could disable transmission of the SSID.
This would prevent wifi devices trying to connect unless they know the SSID.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 21816538
If they're deliberately trying to connect, hiding the SSID isn't going to stop that - not only do they already know what it is, but they could easily capture packets for a while and find out what it is again even if you do change it then hide it. They aren't trying to authenticate via 802.1x (RADIUS) accidentally.

Could you please be more specific about what equipment you have?

Product search results

No search results were found that match "2300 radio ports" in HP ProCurve Networking

Results for "hp 2300" (257 products)

Results for "hp 2800"  
More than 300 products contain the term "hp 2800".

Results for "5300xl" (7 products)
» ProCurve 5304xl Switch
» ProCurve 5304xl-32G Switch
» ProCurve 5308xl Switch
» ProCurve 5308xl-48G Switch
» ProCurve 5348xl Switch
» ProCurve 5372xl Factory Racked Switch
» ProCurve 5372xl Switch
0
 

Author Comment

by:gpccit
ID: 21818219
Sorry radio port 230's.... to many Zeros.....
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 44

Expert Comment

by:Darr247
ID: 21818330
That still leaves

Results for "hp 2800"  
More than 300 products contain the term "hp 2800".

Results for "5300xl" (7 products)
» ProCurve 5304xl Switch
» ProCurve 5304xl-32G Switch
» ProCurve 5308xl Switch
» ProCurve 5308xl-48G Switch
» ProCurve 5348xl Switch
» ProCurve 5372xl Factory Racked Switch
» ProCurve 5372xl Switch
0
 

Author Comment

by:gpccit
ID: 21818745
Ok not broadcasting the SSID hasn't worked. So extra info requested:

2800's:
2848
2810-24g
2810-48g
2824

5300xls:
5304
5304xl
5308

5406zls:
5406zl

I guess what we are specifically looking for is a way to stop all these unauthenticated macs from repeatedly trying to authenticate and therefore filling up logs in procurve... eg 1 particular mac tried to authenticate 158 times between 9-10am this morn...
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 125 total points
ID: 21826581
It looks like in the zl's you can create 'MAC extended ACL' lists, then Add rules to 'deny [mac address]'.

Create a new list and you should find MAC extended list in the ACL Type picklist.

You should find that ability in Security > ACLs > Configuration in the web interface.

After creating the new list you'll need to add a rule for each MAC address you want to explicitly block. You can also use masks to deny access to entire blocks of MAC addresses, but I think that could create problems down the road if one of your machines happens to have a MAC address in one of the blocks of MAC addresses filtered.

ACLs should be covered in detail by chapter 7 of the WESM-zl-MgmtCfg*.PDF manuals.
0
 

Author Closing Comment

by:gpccit
ID: 31468196
That seems to have done it!!, we are monitoring currently, and 1 person seems to be slipping through the ACLs each morning, but instead of 6500 failed authentications we are recieving 1 or 2... so thanks heaps!
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question