Deny dhcp lease and lan access to unknow and unwanted devices
-
it's possible to deny dhcp ip release and lan access to unknow / unwanted devices who can try to connect via ethernet cable or wifi?
Here is my actual situation:
telecom modem >
> PfSense >
> Office LAN via cable and
> Wifi AP withouth dhcp server only pfsense has DHCP server.PfSense with mac filter + arp ip filter to release dhcp
every employee has its own office assigned pc with known mac and ip
But...
If someone clone a mac and use same ip of its office pc and shutdown the office pc, and use its own personal laptop, pfsense release ip and lend access.There is a way to prevent this?
Can pfsense check something else beside mac and ip from lan pc exmaple a specific hwid not clonable?or any other way please?
thanks for your time -
uhm , afaik nothing ...
maybe security port on the switch and NAC can be of help.
static arp or DAI can't help on that .. -
@T-Soprano said in Deny dhcp lease and lan access to unknow and unwanted devices:
If someone clone a mac and use same ip of its office pc and shutdown the office pc, and use its own personal laptop, pfsense release ip and lend access.
If they'e spoofing the MAC and plugging into the same switch port, then nothing can be done, as there is no way to tell which computer it is.
-
You want to prevent someone from removing device X from port Y, and then using same mac as device X or port Y?
Yeah that is not really possible without a NAC/PNAC, that checks other stuff.. Not something you can do with just pfsense. 802.1x can be used to auth a device, etc.
If you want to stop device Z from turning off device X, and then plugging into different port using device X mac - then you could just use port security on your switch ports.
If this is only via wireless.. They would have to auth, with valid user creds - use something more than just wpa/wpa2 psk.. Setup wpa2-enterprise. Using something like eap-tls they would also need a valid cert to auth with, etc.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
OpenNAC, never used it but it may help you.
http://www.opennac.org/opennac/en.html
-
@T-Soprano
802.1X + Freeradius -
@johnpoz said in Deny dhcp lease and lan access to unknow and unwanted devices:
use something more than just wpa/wpa2 psk.
Even with PSK, if the admin enters the password and doesn't tell anyone what it it, then they could keep other computers off. Of course, that only works if the device doesn't make the password availalble.
-
yeah that would be a possibility I guess..
-
I've done this using a selfmade captive portal page, but thanks anyway for your hints.
