I work in the IT department for the residential housing area at my university (network operations is separate from ours). I've wondered how is it that when someone registers a MAC address on our device registration portal [to get wired internet access on campus], BluCat Address Manager is able to detect whether it is a wired or wireless MAC address and assign an IP address from the campus specific ranges accordingly. I know that there's some companies that require you do remote work from a computer that has to be on a wired connection, and they have a programs bundled with the software they give you that can tell the difference, but I have no clue how such a thing would be implemented. Do you have any idea how this is done? Is it right to assume that if a program can figure it out, there's something about the content of the MAC address, or other identifier of the device, that can be looked to determine this? I would like to make a shell program that can replicate this for fun. In every case, this will be for a remote computer on the same network as mine, if that simplifies things.
Asked
Active
Viewed 144 times
1
-
2Security by MAC address is foolish. It is very easy to change the MAC address on an interface. – Ron Maupin Mar 07 '20 at 18:30
-
@RonMaupin Well, I had no clue about that. It was just my assumption that MAC addresses were what they used since it's the only field that's required for device registration so it can be linked to a student's account. Now I'm quite a bit more confused about the whole process, since if changing MAC addresses on a device is so simple, how does this registration thing not fall through (unless it's just ripe for exploitation) 'o_o – A1_Brownies Mar 10 '20 at 04:21
-
"_unless it's just ripe for exploitation_" That is probably the case. Anyone having or finding a registered MAC address could put that address on any other device to get access to the network. Many people just do not understand and depend on MAC addresses for security, and those people regularly get hacked. Sniffing the airwaves will give you validated MAC addresses that can be used to connect to a Wi-Fi network that uses MAC address security. – Ron Maupin Mar 10 '20 at 04:26
-
Well! That's really something. Thanks for the info. – A1_Brownies Mar 10 '20 at 04:30
1 Answers
5
Do not use MAC address for security or authentication purposes. Those addresses can be trivially changed.
Instead, implement a (or use your existing) network access control solution. These use some combination of actual authentication, device and application fingerprinting, user agents, and integration with other means of device management.
Wireless APs can, and probably do, offer different subnets than the wired access switches. Different physical layer, different design constraints, and possibly a different vendor's equipment.
John Mahowald
- 30,009
- 1
- 17
- 32
-
Ahh, I didn't even think of subnets! I'll have to look into this some more, happen to have a good starter resource on hand that discusses different network access control solutions? – A1_Brownies Mar 10 '20 at 04:37
-