Solved: Prevent students from accessing Guest SSID with school laptops

cjwatkins · ‎02-12-2015

Hello All,

I'm new to networking and I'm having an issue with ACLs. My router is an RVS4000 which connects to an SG300. The SG300 is in layer 3 mode and distributes to other sg300/200s which connect to multiple WAP321s. I have them all configured for two VLANs, public (10) and private (1). I need a way to keep my student laptops off of the public network for monitoring purposes. I'd hoped to do this with a mac-based acl but I'm wondering if this is the best way and if the ACL should be on the WAPs or the main switch. Any advice and/or assistance writing the ACL would be much appreciated.

Michal Bruncko · ‎02-14-2015

> wap321s clustered so does that mean when I apply the ACL to one unit, it will propagate to the others?

yes, that's point of clustering - having administration easier with propagating configuration to all units instead of per-WAP configuration. More about features and advantages of WAP Clustering you can find here.

But instead of using ACL I would recommend to use MAC Filtering (Wireless -> MAC Filtering) because of two reasons:

administering if MAC Filtering is easier than ACL (it is an simple list where you put MAC address which you wanted to allow or to deny). Also this feature is designed directly to such needs like you have
with using MAC filtering you will prevent selected laptops from connecting to wireless networks - this means that those laptops will not get successfully connected. But ACL's are designed for situations when you wanted to block some kind of communication for already connected clients.

If you decide to use MAC filtering, do not forget to choose Local MAC filter option inside SSID configuration section.

View solution in original post

cchamorr · ‎02-12-2015

Hello,

I was discussing this post with several people and we all have a different idea about what you mean, so let me tell you what I believe you are asking and then we go from there

I think that you want to prevent the student laptops from connecting to the public SSID.

I dont think that your issue is with the Vlans or traffic or anything just about the fact that you want to make sure the students only use the private VLAN and are unable to use the public.

If that is the case then yes, pretty much the only option is to create some kind of rule pertaining to the MAC addresses of the laptops.

Now, it may be a good idea to consider using group policies or another sort of software or permissions restrictions on the laptops themselves.

Here is a link to setting this up using group policies:

http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-blackwhite-list-wireless-networks-in-vista-windows-7/

I hope this was helpful

cjwatkins · ‎02-12-2015

That's exactly what I need to do. But our school is an all Mac emvironment. Do you know if group policies are possible with OS X? I've searched for an answer to this in vain.

cchamorr · ‎02-12-2015

I'm sorry I really have no idea about the MAC environment.

In regards to the AP's you can definitely configure them to reject connections from the specific laptops to a determined SSID using the MAC FILTER.

I hope this helps.

cjwatkins · ‎02-13-2015

Understandable. Thanks for the assistance cchamorr. It's an excellent idea I'll definitely continue trying to find a group policy blacklist/whitelist option for Macs.

cchamorr · ‎02-19-2015

Hello,

I have been thinking about your case, and, while using my mac I discovered something that I was not aware it existed. Now, I'm not sure this will work on your network or on your setup but I thought it was worth mentioning it.

Now, this will only work if your students don't have administrator accounts for the MACs.

Here are the steps:

1- Go to System Prefenrences -Network

2- Select your Wi-Fi adapter on the left and hit on Advanced

3- On the next screen select the Wi-FI tab and you will find an option to Require administrator authorization to changer networks. Enable it.

4- When a non Administrator user tries to change the Wi-Fi connection they will be prompted to enter a password.

Please look at the screenshots

Hope this information was helpful.

cjwatkins · ‎02-19-2015

That would be a perfect solution except that they are allowed to take the laptops home overnight and on the weekends. They need access to other wifi networks

I've setup a local deny list on the WAPs for the Public network and it has worked well so far. Thanks for the advice though.

cchamorr · ‎02-19-2015

Thank you for the reply,

I just thought it was worth the try.

I'm glad it is working fine for you now

Michal Bruncko · ‎02-13-2015

Hi

ok, it seems you are looking for way how to block access to guest SSID for school Mac laptops based. As you mentioned the first limitation which comes into scenario is related to client MAC address authorization - of course only in case that students can't change MAC addresses on that laptops by their own.

For implementation of that restriction I would suggest to do it on WAP's. You are mentioning WAP321's which have clustering functionality, so you can simply prepare and update MAC filtering list one time and on one place and it will be applied over all WAP units which easier whole filtering management. Also with doing this filtration on WAP's (on closest way toward clients) ensures that students will not be able even connect to wifi and will not occupying place on WAP (as we know that WAP321 units have limitation of max 32 connected clients).

cjwatkins · ‎02-13-2015

Hi Michal, and thanks for your help.

The students don't have admin access to the laptops and cannot change their Mac addresses. I do have the wap321s clustered so does that mean when I apply the ACL to one unit, it will propagate to the others? Also, do you know of any documentation on building such an ACL? I want to allow them access to the Private network but deny access to the Public. Specifically, will the "VLAN ID" options deny traffic to the selected VLAN?

Michal Bruncko · ‎02-14-2015

> wap321s clustered so does that mean when I apply the ACL to one unit, it will propagate to the others?

yes, that's point of clustering - having administration easier with propagating configuration to all units instead of per-WAP configuration. More about features and advantages of WAP Clustering you can find here.

But instead of using ACL I would recommend to use MAC Filtering (Wireless -> MAC Filtering) because of two reasons:

administering if MAC Filtering is easier than ACL (it is an simple list where you put MAC address which you wanted to allow or to deny). Also this feature is designed directly to such needs like you have
with using MAC filtering you will prevent selected laptops from connecting to wireless networks - this means that those laptops will not get successfully connected. But ACL's are designed for situations when you wanted to block some kind of communication for already connected clients.

If you decide to use MAC filtering, do not forget to choose Local MAC filter option inside SSID configuration section.