Solved

How to block rogue Mac addresses from authentication attemps!!

Posted on 2008-06-17
7
1,007 Views
Last Modified: 2013-11-09
We have a wireless network installed, using HP products, we have a WESM, HP 2800, 5300xl, 5406zl switches, and HP 2300 radio ports. We are using a radius server, and mac authentication to control access. The problem is, that anybody with a wifi device coming into our network, continously trys to authenticate... usually about 200times per hour. This fills up all our loggs and ruins realtime information in procurve. Is there a way to select mac addresses and block them from interrogating the network?? Or at least stop procurve from looking at them??
0
Comment
Question by:gpccit
  • 3
  • 3
7 Comments
 
LVL 13

Expert Comment

by:kdearing
ID: 21810076
You could disable transmission of the SSID.
This would prevent wifi devices trying to connect unless they know the SSID.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 21816538
If they're deliberately trying to connect, hiding the SSID isn't going to stop that - not only do they already know what it is, but they could easily capture packets for a while and find out what it is again even if you do change it then hide it. They aren't trying to authenticate via 802.1x (RADIUS) accidentally.

Could you please be more specific about what equipment you have?

Product search results

No search results were found that match "2300 radio ports" in HP ProCurve Networking

Results for "hp 2300" (257 products)

Results for "hp 2800"  
More than 300 products contain the term "hp 2800".

Results for "5300xl" (7 products)
» ProCurve 5304xl Switch
» ProCurve 5304xl-32G Switch
» ProCurve 5308xl Switch
» ProCurve 5308xl-48G Switch
» ProCurve 5348xl Switch
» ProCurve 5372xl Factory Racked Switch
» ProCurve 5372xl Switch
0
 

Author Comment

by:gpccit
ID: 21818219
Sorry radio port 230's.... to many Zeros.....
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 44

Expert Comment

by:Darr247
ID: 21818330
That still leaves

Results for "hp 2800"  
More than 300 products contain the term "hp 2800".

Results for "5300xl" (7 products)
» ProCurve 5304xl Switch
» ProCurve 5304xl-32G Switch
» ProCurve 5308xl Switch
» ProCurve 5308xl-48G Switch
» ProCurve 5348xl Switch
» ProCurve 5372xl Factory Racked Switch
» ProCurve 5372xl Switch
0
 

Author Comment

by:gpccit
ID: 21818745
Ok not broadcasting the SSID hasn't worked. So extra info requested:

2800's:
2848
2810-24g
2810-48g
2824

5300xls:
5304
5304xl
5308

5406zls:
5406zl

I guess what we are specifically looking for is a way to stop all these unauthenticated macs from repeatedly trying to authenticate and therefore filling up logs in procurve... eg 1 particular mac tried to authenticate 158 times between 9-10am this morn...
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 125 total points
ID: 21826581
It looks like in the zl's you can create 'MAC extended ACL' lists, then Add rules to 'deny [mac address]'.

Create a new list and you should find MAC extended list in the ACL Type picklist.

You should find that ability in Security > ACLs > Configuration in the web interface.

After creating the new list you'll need to add a rule for each MAC address you want to explicitly block. You can also use masks to deny access to entire blocks of MAC addresses, but I think that could create problems down the road if one of your machines happens to have a MAC address in one of the blocks of MAC addresses filtered.

ACLs should be covered in detail by chapter 7 of the WESM-zl-MgmtCfg*.PDF manuals.
0
 

Author Closing Comment

by:gpccit
ID: 31468196
That seems to have done it!!, we are monitoring currently, and 1 person seems to be slipping through the ACLs each morning, but instead of 6500 failed authentications we are recieving 1 or 2... so thanks heaps!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Managing 24/7 IT Operations is a hands-on job and indeed a difficult one. Over the years I have found some simple tips and techniques to increase the efficiency of the overall operations. The core concept has always been on continuous improvement; a…
This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now