Need a web page to get MAC address - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Lounge » Need a web page to get MAC address

Page 1 of 1

1

Topic Options

#169071 - 2006-10-09 03:38 AM Need a web page to get MAC address
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	I am setting up a captive portal using m0n0wall on a WRAP SBC. Instead of using UserIDs and passwords that users are apt to share with others, I'm thinking to have some script pull the MAC and use it for the UserID. The user then only enters the password. Since each password is unique to the MAC, they cannot share the password with others. Now I don't know enough about PHP and the embedded linux on a WRAP to know if or how to do server-side scripting, but client-side might do it. Ideas anyone? _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#169072 - 2006-10-09 06:13 AM Re: Need a web page to get MAC address
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	well. you may need to use IE to use vbscript with which you can pull it. just wonder. vbs needs to have some createobject line and IE security might deny that from working. anyway, if you find a way, the onload event of the page will be perfect to run the script or form submit event.
Top

#169073 - 2006-10-09 06:29 AM Re: Need a web page to get MAC address
Witto Witto MM club member Registered: 2004-09-29 Posts: 1828 Loc: Belgium	What if a computer has two NICs (wired & wireless)?
Top

#169074 - 2006-10-09 07:56 AM Re: Need a web page to get MAC address
Gargoyle Gargoyle MM club member Registered: 2004-03-09 Posts: 1597 Loc: Valley of the Sun (Arizona, US...	Another consideration is if any of the users will be "routed" to the web server. In that case you will not be able to use a server side "arp request" to obtain the mac, as the next hop router will answer with it's mac address.
Top

#169075 - 2006-10-09 09:44 AM Re: Need a web page to get MAC address
masken masken MM club member Registered: 2000-11-27 Posts: 1222 Loc: Gothenburg, Sweden	I think you can get the GUID without the web page going insecure in the browser. Think that's what poll/voting-pages normally use. It's even better than the MAC, you can change NIC without the GUID changing hehe In ASP.NET you have this: http://msdn2.microsoft.com/en-us/library...ionsection.aspx Edited by masken (2006-10-09 09:48 AM)
Top

#169076 - 2006-10-09 09:58 AM Re: Need a web page to get MAC address
Richard H. Richard H. Administrator Registered: 2000-01-24 Posts: 4946 Loc: Leatherhead, Surrey, UK	Quote: I think you can get the GUID without the web page going insecure in the browser. Think that's what poll/voting-pages normally use. That's windows only isn't it? I would have thought that cookies would be more portable. Les, are you going to have problems with the user using another computer or terminal server / citrix logins? I can't imagine your users are going to remember their "usual" MAC address if they are not at their usual computer.
Top

#169077 - 2006-10-09 10:15 AM Re: Need a web page to get MAC address
masken masken MM club member Registered: 2000-11-27 Posts: 1222 Loc: Gothenburg, Sweden	No I don't think so. I think all machines (at least since a couple of years back) have GUID's. It's stored in BIOS. The whole idea of this is to keep it session/cookie free.
Top

#169078 - 2006-10-09 12:44 PM Re: Need a web page to get MAC address
Richard H. Richard H. Administrator Registered: 2000-01-24 Posts: 4946 Loc: Leatherhead, Surrey, UK	You could also use the computername rather than the MAC - that'd get around the multiple NIC and change-of-NIC issues, though it wouldn't help in multi-user environments.
Top

#169079 - 2006-10-09 02:46 PM Re: Need a web page to get MAC address
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Thanks guys, will try to address all of your points. 1. The "users" are not my users. The HotSpot is not for company employees. It is for visitors/guests. 2. Initially, it is just for WiFi though I haven't ruled out wired clients. 3. The m0n0wall server is running a small version of linux in RAM from a CF card. There is little chance that there would be any server-side code. 4. There is no router between the client and the m0n0wall router/firewall. 5. If the computer has two NICs and they are both active, I would want to deny access. 6. If users roam to a different PC, they are to be denied access unless of course they have registered the other PC and received a password. In other words, I want access control per PC, not per user. If I simply put their MAC in the captive portal bypass list, they get access but no longer get the AUP/TOU that they need to consent to. I suppose it doesn't have to be the MAC address, I just thought it was something easily had and unique. I was hoping is was as simple as the getting the IP like http://www.ipchicken.com/ . That GUID looks interesting but I think it is server-side. Computername is a possibility. What I need to do is have safeguards to ensure company employees do not gain access to the internet via this wireless HotSpot. Again, this is for non-employees only.
Top

#169080 - 2006-10-09 03:42 PM Re: Need a web page to get MAC address
Richard H. Richard H. Administrator Registered: 2000-01-24 Posts: 4946 Loc: Leatherhead, Surrey, UK	Have a look at this page: http://doc.m0n0.ch/handbook/faq-macfilt.html Specifically 16.6.1. Using Captive Portal and MAC pass-through looks like it might do what you want.
Top

#169081 - 2006-10-10 03:31 AM Re: Need a web page to get MAC address
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Quote: If I simply put their MAC in the captive portal bypass list, they get access but no longer get the AUP/TOU that they need to consent to. I know all about pass-through and am doing it now. The problem with that is as soon as you enter their MAC, they no longer get the AUP/TOU. Also, there is no authentication at all, so all someone needs to do is spoof an allowed MAC. Since I plan to change the password every week, spoofing a MAC that I hoped to pass as the UserID means they still need the password. If everyone used the same hidden ID, only the PWD would need to be shared. If the users get to type in a unique UserID, they are still likely to share their ID/PWD and that is what I hope to avoid.
Top

#169082 - 2006-10-10 09:08 AM Re: Need a web page to get MAC address
Richard H. Richard H. Administrator Registered: 2000-01-24 Posts: 4946 Loc: Leatherhead, Surrey, UK	How about this technique then. Configure your DHCP server so that computers which are to be allowed access have a reserved IP address. Configure a firewall rule on the hotspot device that only allows access for the reserved IP addresses. You could also use the DHCP server built into the device to issue the reserved IP addresses on a new "guest" subnet seperate from your normal user LAN if that would make control easier. If your users do not have privilege to allocate static addresses to their NICs then they cannot steal a guest DHCP assigned address, so the reserved IP address is just about secure as a MAC address for this purpose.
Top

#169083 - 2006-10-15 04:21 PM Re: Need a web page to get MAC address
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Again, they (the intended captive portal users) are not "my users" and the computers not under my control. Also, the captive portal network is entirely separate from my "normal user LAN". That said, my users (potential unintended captive portal users) are what I am most concerned about as well as public trash trying to leech free internet and potential malfeasance. While I do control the domain member computers, I have also caught users bringing in from home their personal laptops. A couple of them have eluded me, disappearing before I can complete a switch traceroute. Catching a wireless leech would be that much tougher. Presently, I have only two APs serving two buildings and I've located them so that the structure and terrain limit their range but as I build this out with more APs and more coverage, it will have a larger attack surface. I also plan to deploy another larger coverage area but that I intend to use WPA on and it will not be part of the hotspot. Yes, I could setup a DHCP reservation for each user PC I authorize and have corresponding firewall rules. That way simple possesion of username/password would stop some of them. Still, it is not the same security as a three way match as may be had with some two factor authentication methods. I realize that I am changing the scope of requirements now since my first request was more "security by ignorance" than real two factor authentication. I can also do static ARP in m0n0 to further encumber IP stealers but that too can be overcome by MAC spoofing. Oh, what a tangled web we weave, trying to implement security. As you see, it is starting to get overly complicated and labour intensive to grant a guest access for a day or a week. I'm wondering if setting up a RADIUS server wouldn't make more sense and whether it would give me real two factor authentication. I'm open to suggestions.
Top

#169084 - 2006-10-15 04:36 PM Re: Need a web page to get MAC address
Gargoyle Gargoyle MM club member Registered: 2004-03-09 Posts: 1597 Loc: Valley of the Sun (Arizona, US...	Can you support 802.1x? You would still need some sort of authentication server Radius or Tacacs+. This is the route that we are going with, and then we will be able to issue certificates for each computer that is allowed on the network, and we control when the certificates expire.
Top

#169085 - 2006-10-15 11:01 PM Re: Need a web page to get MAC address
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	What we ended up doing is allowing such a network only inernet access as a separate LAN. In order to get back into the corporate network, one has to go to our SSL VPN, authenticate, and then the internal network is available again. We also have a Cisco security agent for NAC purposes that is requried in order to use the SSL VPN, even contractors or other external computers. If you're concerned about the type of device connecting to your internal network then primarily agent-based Network Access Control would be the way to go. _________________________ There are two types of vessels, submarines and targets.
Top

#169086 - 2006-10-16 02:37 AM Re: Need a web page to get MAC address
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Quote: Can you support 802.1x? Is this question in relation to my isolated hotspot network with captive portal or one of my business, production, or process networks? I cannot see 802.x working in a hotspot since a new client would not get access to the hotspot welcome page with TOU/AUP. That said, I would love to lock down my other networks with 802.1x and I have started upgrading my network switches to support it but still have old unsupported legacy gear. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#169087 - 2006-10-16 03:31 AM Re: Need a web page to get MAC address
Gargoyle Gargoyle MM club member Registered: 2004-03-09 Posts: 1597 Loc: Valley of the Sun (Arizona, US...	I was thinking of your hotspot. If you were to issue them a cert, then they should be able to authenticate with said cert and 802.1x. Assuming your WAP can support it. We have a policy in place that only Cisco Airo can be used for that specific reason.
Top

#169088 - 2006-10-16 04:06 AM Re: Need a web page to get MAC address
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Buffalo APs.
Top

#169089 - 2006-10-20 03:43 AM Re: Need a web page to get MAC address
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	I took a look at what a RADIUS server would do for me. Basically it can provide the MAC address to m0n0 as the UserID. That's it... no two factor... no three way match. Ja, I know... pretty much what I was looking for in my first post but managing the accounts in RADIUS is a big PITA. I decided to go with individual named accounts and passwords that expire after a short time. I disabled concurrency so that should curb sharing. For added security, I will also do reserved IPs and created a rule in the firewall for that range of IPs.
Top

#169090 - 2006-11-03 02:35 AM Re: Need a web page to get MAC address
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	A quick update... Having a hard rule in the firewall forbidding all unauthorized computers doesn't work. If the user cannot get to a site, they don't get redirected by the captive portal. DOH! What I ended up doing was to allow only HTTP for unauthorized computers that borrow or steal a password and I setup Traffic shaper to slow their access to 20kbps down and 10kbps up. Someone that steals a password should be disappointed enough with the slow speed to give up and if they don't, the slow speed will limit the damage they can inflict. Only those that I authorize will get full bandwidth and full functionality. I got that working pretty slick. So far I've been trapping a few employees in my "HoneyPot". Company policy forbids their connecting to an AP while they are network connected. Of course they claim ignorance even when presented with the evidence. I don't know whether I should believe them or not. How does one connect to an AP by accident? Why would they even have their wireless card turned on in the office? I have also seen one non-company computer connect to the AP several times but there does not appear to be any attempted access according to the logs. I guess maybe people can connect by accicent. Now I need to find a way to track down these wireless critters.
Top

Page 1 of 1

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart

Hop to:

Shout Box

Who's Online

0 registered and 323 anonymous users online.

Newest Members

Audio, Hoschi, Comet, rrosell, PatrickPinto
17880 Registered Users

Generated in 0.074 seconds in which 0.026 seconds were spent on a total of 12 queries. Zlib compression enabled.

click tracking