doc/developer/MACBlacklisting

Version 3 (modified by Robin Jones, 11 years ago)

updated MACBlacklisting with some more ideas

Contributors: Robin Jones, Benoit Grégoire, Last update: 2008-01-12 Feel free to contribute and/or format better.

Blacklisting a MAC address from your network

The changes needed for basic functionnality in the auth server are:

  • Add a network_had_blacklist and blacklist table in the db. The latter would (for now) only have a guid, MAC address, and a ban reason field.
CREATE TABLE blacklist
         guid text NOT NULL,
         MAC text NOT NULL,
         reason text,                               //will tell the user why they have been banned (if you wish to tell them)
         duration text NOT NULL,                   //date device will be allowed to access the network again (if any)
         banned_date date,                          //timestamp user banned from network

  • Add a UI for it. This implied writing a very simple "Blacklist" object that inherits from generic object, and hooking it in from Network::getAdminUI() and Network::processAdminUI()
/** 
* Blacklist A MAC Address 
* 
* @package    WiFiDogAuthServer 
* @author     Robin Jones <www.networkfusion.co.uk> 
* @copyright  2007-2008 Robin Jones, NetworkFusion.
*/



/**Add blacklisted MAC to DB
*/

static function BlacklistMAC($id, $MAC, $reason, $duration) { 
      $db = AbstractDb::getObject(); 
 
        $object = null; 
        $id_str = $db->escapeString($id); 
        $MAC_str = $db->escapeString($MAC);  
        $reason_str = $db->escapeString($reason); 
        $duration_str = $db->escapeString($reinstatement); 
 
        $db->execSqlUpdate("INSERT INTO Blacklist (guid, MAC, reason, duration, bannedDate) VALUES ('$id_str','MAC_str','$reason_str','$reinstatement_str',CURRENT_TIMESTAMP)"); 
 
        $object = self::getObject($id); 
        return $object; 
    } 



    /** Return all the Blacklisted MAC's
     */ 
    static function getAllBlacklistedMACs() { 
        $db = AbstractDb::getObject(); 

       $db->execSql("SELECT * FROM blacklist", $objects, false); 
        if ($objects == null) { 
            throw new Exception(_("No Blacklisted MAC's could not be found in the database")); 
        } 
       return $objects; 
    } 


  • Actually use the blacklist during login attempt (at the token creation stage. This should be authenticator independent.
  • Optionally, also prevent creating an account from that computer. This MUST somehow be done within the AuthenticatorLocalUser? code even if additional hooks have to be written), not in the general auth or signup code.

The above should be fairly simple, and fairly future proof (in the future there will be much more complicated use case than static, persistent MAC based blacklists).

An example of the UI

Design for MAC Blacklist UI

Attachments