Wifi blocking based on OS?

[Jsmith2211]

Hi all!

 

So my ubuntu partition of my laptop is now not connecting to my school's wifi network. They use a "log on before you connect" type of authentication where you sign in with a username and password before you can connect. Recently my ubuntu partition of the laptop stopped connecting, giving me the promt to enter my username and password over and over. Usually this is an incorrect username or password, but i have checked that (before you ask!) and i know that that is not the problem. I asked the IT people (as much as it pained me to do so) and got the answer that they didn't allow ubuntu onto their network because it is "less secure than windows due to it being open source." This would mean that they had somehow blocked just the ubuntu partition of my laptop, as the windows one works fine, based on just the OS. I went down there a couple of days later to try again and got a different story, that i had been blocked for "Suspicious activity" and that I should now be able to connect (they had apparently worked out that i wasn't trying to take down the internet, simply download a steam update...) Exactly the same symptoms. I went down there again... got the old crap about not allowing ubuntu on because it is less secure. I don't need to go into any detail about why that is wrong do I... Long and short of it is, my ubuntu partition still refuses to connect. The MAC address is the same between the partitions, and i assume that they cannot IP ban because it would assign a random IP every reconnect. Is it even possible to block a machine based on OS? I would have thought it would just be on a MAC address basis or maybe IP if it uses a static IP.

 

Advice on where to go next? (Apart from sending them a link to the ubuntu server download page to help them not get hacked every month!(they use windows server... eww))

 

Thank you for reading the essay and probably maybe helping.

 

James

[Lurick]

Yes, it's very possible to block based on OS and other characteristics as well on the network such as patch level even for Windows machines and the like but some of that requires more advanced programs installed on the end client.

[Dujith]

Prob just a MAC ban. They can see what is connecting but i know no software that blocks based on os.

But this is just your side of the story, for all i know they had valid reason to block your laptop down to suspicious activity.

 

Anyway, i would check the rules and see if certain OSés are banned from using the network. If so, then there is nothing you can do without getting into trouble.

[Jsmith2211]

1 minute ago, Lurick said:

Yes, it's very possible to block based on OS and other characteristics as well on the network such as patch level even for Windows machines and the like but some of that requires more advanced programs installed on the end client.

Is there a way to bypass this?

[Jsmith2211]

There are no rules about that in writing, only what i have heard from them. There is a prompt that pops up when you use a school computer for the first time outlining their terms of use and i read them to be sure.

[Jsmith2211]

1 minute ago, Dujith said:

Prob just a MAC ban. They can see what is connecting but i know no software that blocks based on os.

But this is just your side of the story, for all i know they had valid reason to block your laptop down to suspicious activity.

 

Anyway, i would check the rules and see if certain OSés are banned from using the network. If so, then there is nothing you can do without getting into trouble.

 

[Lurick]

3 minutes ago, Dujith said:

Prob just a MAC ban. They can see what is connecting but i know no software that blocks based on os.

But this is just your side of the story, for all i know they had valid reason to block your laptop down to suspicious activity.

 

Anyway, i would check the rules and see if certain OSés are banned from using the network. If so, then there is nothing you can do without getting into trouble.

I know several solutions that easily classify endpoints based on OS. Cisco ISE is just one example. Checkpoint, Palo Alto, etc. probably have similar solutions as well. Then there is DNA Center and other solutions as well to do this which can redirect you to a patch server if you don't have updated software or are infected.

 

 

3 minutes ago, Joelsome said:

Is there a way to bypass this?

Nothing that I'll discuss since it's against the Community Standards on the forums to discuss ways to bypass blocks and the like.

[Dujith]

1 minute ago, Lurick said:

I know several solutions that easily classify endpoints based on OS. Cisco ISE is just one example. Checkpoint, Palo Alto, etc. probably have similar solutions as well. Then there is DNA Center and other solutions as well to do this which can redirect you to a patch server if you don't have updated software or are infected.

 

Another thing learned. Reading up on it now.

[Jsmith2211]

2 minutes ago, Lurick said:

I know several solutions that easily classify endpoints based on OS. Cisco ISE is just one example. Checkpoint, Palo Alto, etc. probably have similar solutions as well. Then there is DNA Center and other solutions as well to do this which can redirect you to a patch server if you don't have updated software or are infected.

 

 

Nothing that I'll discuss since it's against the Community Standards on the forums to discuss ways to bypass blocks and the like.

Discord then? the only way i can use their internet which is 10MBps down (my home's is 300kbps tops) is through windows, which is windows 10, and i hate being spyed on by microshite.

[Jsmith2211]

2 minutes ago, Dujith said:

Another thing learned. Reading up on it now.

Where are you reading up on it? Couldn't find a single report on anything like is described above when i googled it.

[Lurick]

2 minutes ago, Dujith said:

Another thing learned. Reading up on it now.

I was double checking myself and it doesn't even need to be ISE (which is usually an appliance or can run as a VM). Wireless controllers can fingerprint and block based on OS as well. Obviously there is traffic based blocks but yah, there is some interesting info sent out just connecting to networks. Part of it is MAC based, just knowing the vendor of the MAC helps, but there is other stuff that gets sent out too. A snapshot of some devices connected to my network right now:

 

[Lurick]

4 minutes ago, Joelsome said:

Where are you reading up on it? Couldn't find a single report on anything like is described above when i googled it.

Posture policies is what they are called in the Cisco world. I'm sure similar terms are used by other vendors for their solutions as well. Just one example:

https://community.cisco.com/t5/policy-and-access/ise-checking-windows-version/td-p/2735510

[Alex Atkin UK]

Could it be they are simply blocking the login because the browser identifies itself as running on Linux?

You could easily test this by using an addon to spoof the web browser as being Windows.

[Dujith]

7 minutes ago, Joelsome said:

Where are you reading up on it? Couldn't find a single report on anything like is described above when i googled it.

Cisco.com and checking the forums, seems you can even block anything pre windows 7 if you want  

 

[Jsmith2211]

Just now, Alex Atkin UK said:

Could it be they are simply blocking the login because the browser identifies itself as running on Linux?

You could easily test this by using an addon to spoof the web browser as being Windows.

Tisn't just the web browser though, the OS has to connect to the wifi network first, eliminating the web browser sign in thingy.

[Alex Atkin UK]

1 minute ago, Joelsome said:

Tisn't just the web browser though, the OS has to connect to the wifi network first, eliminating the web browser sign in thingy.

So they are using Enteprise based WiFi login not a browser-based one?

Honestly it scares me they are so uninformed to think Linux is LESS secure that Windows to begin with.

[Jsmith2211]

I have a feeling that they are just trying to get me off their network because they dislike me. I have been using a VPN to get around their filtering which they know about and try to block. However they cannot block it because it runs port 80. I think at this point they just want me to piss off and leave them to blow their IT budget on those LED ambience lights for their 70" TVs they have in their office.

[Alex Atkin UK]

I know this is an old report but have to checked something like this? https://askubuntu.com/questions/285234/cannot-connect-to-wpa2-wpa-enterprise-peap-and-mschap

I find it very hard to believe they went to the trouble of blocking Linux.  Do they block Android phones too seeing as they are WAY less secure?

[Jsmith2211]

1 minute ago, Alex Atkin UK said:

So they are using Enteprise based WiFi login not a browser-based one?

Honestly it scares me they are so uninformed to think Linux is LESS secure that Windows to begin with.

Yes i know. It scares me to think that they are in charge of the personal data of nearly 1000 students and probably more, yet they think that ubuntu is less secure because of open source! Oh and did i mention that they reported me to the deputy head for rudeness after trying to counter their point about that? Yeah... They are using every trick in the book to shut me up... They also refused to sell me some of their old PCs because of "Health and Safety", rather giving them to a computer recycling company who probably charged them for the pleasure.

[Jsmith2211]

1 minute ago, Alex Atkin UK said:

I know this is an old report but have to checked something like this? https://askubuntu.com/questions/285234/cannot-connect-to-wpa2-wpa-enterprise-peap-and-mschap

I find it very hard to believe they went to the trouble of blocking Linux.  Do they block Android phones too seeing as they are WAY less secure?

Nope android is fine. I find it hard to believe too, being that they have been hacked 4 times in the last month. one of these took the internet down for a week.

[Jsmith2211]

3 minutes ago, Alex Atkin UK said:

I know this is an old report but have to checked something like this? https://askubuntu.com/questions/285234/cannot-connect-to-wpa2-wpa-enterprise-peap-and-mschap

I find it very hard to believe they went to the trouble of blocking Linux.  Do they block Android phones too seeing as they are WAY less secure?

Is there a way to find out what security they are using short of asking them? I was using the default one

[Alex Atkin UK]

I've never had the pleasure to use WPA Enterprise so not really sure how that works.  I mean there HAS to be a way to bypass it somehow, that's kinda the stupidity of it as being Open Source you could download the WiFi stack source code and modify whatever it is they are tracking, if you could figure out what that was.

 

Unfortunately we would be very much skirting the forum rules at that point as discussing how to bypass network security is forbidden.

[Jsmith2211]

1 minute ago, Alex Atkin UK said:

I've never had the pleasure to use WPA Enterprise so not really sure how that works.  I mean there HAS to be a way to bypass it somehow, that's kinda the stupidity of it as being Open Source you could download the WiFi stack source code and modify whatever it is they are tracking, if you could figure out what that was.

Yeah... So for them to filter based on OS would take some pretty expensive software right? And would ONLY work on WPA Enterprise?

[Alex Atkin UK]

5 minutes ago, Joelsome said:

Yeah... So for them to filter based on OS would take some pretty expensive software right? And would ONLY work on WPA Enterprise?

I'm honestly not sure.  It would be interesting to try a different distro, or running Windows in a VM with the WiFi adapter passed through and using Windows Internet sharing to allow it to share back to the Ubuntu host OS.

If you have an Android phone you could always connect using that and then enable USB tethering.  If you ran the VPN on Android too they probably wouldn't have any way to detect you were using Linux.  (although just doing the former might be enough to get past their block)

[Jsmith2211]

Just now, Alex Atkin UK said:

I'm honestly not sure.  It would be interesting to try a different distro, or running Windows in a VM with the WiFi adapter passed through and using Windows Internet sharing to allow it to share back to the Ubuntu host OS.

The VM idea is good, and i already tried to do it... except the VM crashed on boot every single time... I don't particulaly want to piss about with another distro as ubuntu was a pain to get dual booted with windows as it is. Windows 10's bootloader is an absoloute bitch. Having real problems with it on my mother's lenovo machine where it won't even recognise grub in the bios as a boot option. I can only boot to ubuntu if i use a yumi multiboot USB and select continue to first hdd. yumi uses grub as a bootloader to boot from the ISO files so it instantly goes to grub. I dont want to have to risk the black screens and other weird shit i got when installing ubuntu on here either. For some reason microshit are bent on making you use 10. Cant think why... *selling of data they glean with their spyware*