My home network is a bit complicated and I have lost track of a fair few devices that I'm not exactly what they are. So, my plan is to redo my network but requiring me to document all new devices as I admit them to the network. I could use a hotspot if the device is a phone/laptop say, but for something like a printer, what I'm thinking of is blocking network access and then queuing it up to be documented, e.g. name/hostname/type/tag/note in a web form, and once that is done, it can connect to the network fully. I could perhaps use a script triggering on dhcp or maybe get the hotspot to send time, MAC address and anything else to a server and allow me to connect to that to fill in the details and have the device added to DNS etc.
Before I embark on this, I'm just wondering if anyone has done anything similar and can borrow ideas from you.
Re: Out-of-band network admission
So, I've done this now, and it works quite well, but very hacky.
I installed a dhcp script to check if the current lease is dynamic and not a release, if so, call a CGI script on my server.
The CGI script sends the URL of another CGI script to my phone/laptop using keybase
I click on the link and get a form showing the host details, whether the MAC address is dynamic, and a lookup of the OUI of the MAC, an nmap of the IP and all DNS lookups by that IP done since the lease was acquired using pihole's sqlite db. That will often indicate what the host probably is by its captive portal check, and other early DNS requests.
I fill in the form with the owner name, device type (laptop/iphone/printer/whatever), name, etc.
I submit the form and it makes the lease static, adds a comment with the above details, and puts the IP address into various address lists (devices owned by that person, printers, android phones, etc.)
If the mac address already exists but was on another SSID, I copy the details
Just have one thing left to do, which is update DNS and reverse DNS
I installed a dhcp script to check if the current lease is dynamic and not a release, if so, call a CGI script on my server.
The CGI script sends the URL of another CGI script to my phone/laptop using keybase
I click on the link and get a form showing the host details, whether the MAC address is dynamic, and a lookup of the OUI of the MAC, an nmap of the IP and all DNS lookups by that IP done since the lease was acquired using pihole's sqlite db. That will often indicate what the host probably is by its captive portal check, and other early DNS requests.
I fill in the form with the owner name, device type (laptop/iphone/printer/whatever), name, etc.
I submit the form and it makes the lease static, adds a comment with the above details, and puts the IP address into various address lists (devices owned by that person, printers, android phones, etc.)
If the mac address already exists but was on another SSID, I copy the details
Just have one thing left to do, which is update DNS and reverse DNS
Re: Out-of-band network admission
You can also use MAC-address authentication on switchports and use that to admit unknown devices to a different VLAN than known devices.
This can be done using a RADIUS server that admits/rejects access requests for a certain username which is the MAC address (formatted in some different ways).
It is not super-secure as advanced users know they can change the MAC address, but it works well for casual separation of devices.
This can be done using a RADIUS server that admits/rejects access requests for a certain username which is the MAC address (formatted in some different ways).
It is not super-secure as advanced users know they can change the MAC address, but it works well for casual separation of devices.
Re: Out-of-band network admission
In my case, I'm not so concerned about security of access to the network, as that's basically up to knowledge of the WPA2/3 PSK. I'm more concerned with losing track of what I've added, and perhaps what these devices connect to. It's more of an inventory process. For example, here's what happens now if I add a printer:
https://i.postimg.cc/RCw9FN8b/printer.png
There's only one DNS lookup there. If I add a phone there are dozens, depending how long I leave it before connecting to the config URL
https://i.postimg.cc/RCw9FN8b/printer.png
There's only one DNS lookup there. If I add a phone there are dozens, depending how long I leave it before connecting to the config URL
You do not have the required permissions to view the files attached to this post.
Re: Out-of-band network admission
Yes, it can be a good thing to do!
But next step is to separate devices a little, e.g. you may still have a classic "LAN" with a computer and a printer on it, but over the years you have added more and more devices that really do not have to be on that LAN but only need internet access. E.g. IoT devices.
So it is a good idea to create a separate network (VLAN) that can access internet via NAT as usual, but does not have access to your old LAN.
That way, when such an IoT device turns out to be rogue or vulnerable to some security problem, it cannot then attack your PC or other devices on your LAN that traditionally is considered "secure from outside users".
This you can do as an extension to your system, by grouping those devices into a separate category.
It is not even really required to use a different SSID for that, you can use the same one with WPA2-EAP and assignment of VLAN via RADIUS.
But that is maybe a step too far, having a separte WiFi virtual interface with a VLAN tag assigned and using that (with a different password) for these devices would be enough.
Having a list of devices and a category is a good start for setting up such things.
But next step is to separate devices a little, e.g. you may still have a classic "LAN" with a computer and a printer on it, but over the years you have added more and more devices that really do not have to be on that LAN but only need internet access. E.g. IoT devices.
So it is a good idea to create a separate network (VLAN) that can access internet via NAT as usual, but does not have access to your old LAN.
That way, when such an IoT device turns out to be rogue or vulnerable to some security problem, it cannot then attack your PC or other devices on your LAN that traditionally is considered "secure from outside users".
This you can do as an extension to your system, by grouping those devices into a separate category.
It is not even really required to use a different SSID for that, you can use the same one with WPA2-EAP and assignment of VLAN via RADIUS.
But that is maybe a step too far, having a separte WiFi virtual interface with a VLAN tag assigned and using that (with a different password) for these devices would be enough.
Having a list of devices and a category is a good start for setting up such things.
Re: Out-of-band network admission
Actually, I have about 20 virtual SSIDs for purposes such as phones, laptops, untrusted iot devices, ipv6-only test network, ipv4-only network for things that have problems with ipv6 and all sorts. I used to use VLANs for this, but ended up using virtual APs instead. I'm not sure I can remember the reason any more other than it's easier to select the purpose of the connection by choosing the SSID
Re: Out-of-band network admission
20 SSIDs ? sheesh. So much airtime wasted on beacons and management. Even 5 SSIDs are many, 20 is just .. no.
Re: Out-of-band network admission
Yes in such a case it is much better to use 1 main SSID with WPA2-EAP and RADIUS to assign a VLAN to a connected client (all clients connected to the same SSID).
It may still be unavoidable to have another SSID to accommodate clients that cannot use WPA2-EAP.
Or, when you do not mind to keep access tables uptodate in all access points, you can also use WPA2-PSK and an access table that assigns a VLAN to each MAC.
It may still be unavoidable to have another SSID to accommodate clients that cannot use WPA2-EAP.
Or, when you do not mind to keep access tables uptodate in all access points, you can also use WPA2-PSK and an access table that assigns a VLAN to each MAC.