doc/developer/MACBlacklisting

Contributors: Robin Jones, Benoit Grégoire, Last update: 2008-10-13 Feel free to contribute and/or format better.

Blacklisting a MAC address from your network

Here is what I would think should happen for the authentication... how far off am I? ;)

$db = AbstractDb::getObject();

$currentMac = $_REQUEST['mac'];

$db->execSqlUniqueRes("SELECT * FROM mac_blacklist WHERE mac = $currentMac", $info, false);

if ($info != null)
{ 
	if ((DATE() > $info['banned_date'] && < $info['restoration_date']) || (DATE() > $info['banned_date'] && $info['restoration_date'] = null))
	{
		// Access Denied
		// display reason message from $info['ban_reason']
	}
	else
	{
		$macId = $info['mac_id'];
		$db->execSqlUniqueRes("DELETE * FROM mac_blacklist WHERE mac_id = $macId", $info, false);
	
		// Account privilages have been restored.
	}

The Following has been implemented in the networkfusion branch

To install this branch try:

svn checkout https://dev.wifidog.org/svn/branches/networkfusion/wifidog-auth

The changes needed for basic functionality in the auth server are:

  • Add a network_had_blacklist and blacklist table in the db. The latter would (for now) only have a guid, MAC address, and a ban reason field.
CREATE TABLE blacklist
         guid text NOT NULL,
         MAC text NOT NULL,
         reason text,                               //will tell the user why they have been banned (if you wish to tell them)
         duration text NOT NULL,                   //date device will be allowed to access the network again (if any)
         banned_date date,                          //timestamp user banned from network

  • Add a UI for it. This implied writing a very simple "Blacklist" object that inherits from generic object, and hooking it in from Network::getAdminUI() and Network::processAdminUI()
/** 
* Blacklist A MAC Address 
* 
* @package    WiFiDogAuthServer 
* @author     Robin Jones <www.networkfusion.co.uk> 
* @copyright  2007-2008 Robin Jones, NetworkFusion.
*/



/**Add blacklisted MAC to DB
*/

static function BlacklistMAC($id, $MAC, $reason, $duration) { 
      $db = AbstractDb::getObject(); 
 
        $object = null; 
        $id_str = $db->escapeString($id); 
        $MAC_str = $db->escapeString($MAC);  
        $reason_str = $db->escapeString($reason); 
        $duration_str = $db->escapeString($reinstatement); 
 
        $db->execSqlUpdate("INSERT INTO Blacklist (guid, MAC, reason, duration, bannedDate) VALUES ('$id_str','MAC_str','$reason_str','$reinstatement_str',CURRENT_TIMESTAMP)"); 
 
        $object = self::getObject($id); 
        return $object; 
    } 



    /** Return all the Blacklisted MAC's
     */ 
    static function getAllBlacklistedMACs() { 
        $db = AbstractDb::getObject(); 

       $db->execSql("SELECT * FROM blacklist", $objects, false); 
        if ($objects == null) { 
            throw new Exception(_("No Blacklisted MAC's could not be found in the database")); 
        } 
       return $objects; 
    } 


  • Actually use the blacklist during login attempt (at the token creation stage. This should be authenticator independent.
  • Optionally, also prevent creating an account from that computer. This MUST somehow be done within the AuthenticatorLocalUser? code even if additional hooks have to be written), not in the general auth or signup code.

The above should be fairly simple, and fairly future proof (in the future there will be much more complicated use case than static, persistent MAC based blacklists).

An example of the UI

Design for MAC Blacklist UI

Attachments