This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
I'm a dad who is trying to set up parental controls on my kids iPads. They are quite clever and until now are able to find ways around my previously tried methods.
I'm settling on trying to deny their MAC addresses on all wifi networks I have set up (all broadcast via 2 shared WAX214 devices), and only grant them access to a dedicated network using a scheduler.
Problem is that the pesky Apple iOS system encourages private Wifi usage which randomises their MAC address, meaning they can eventually get onto other networks if I haven't changed the passwords for them (I'm not keen on password change as I've got a lot of other wifi devices using them, but I guess this is something I could do if no other option)
I will encourage the kids to ensure their private wifi is turned OFF for our home networks so their unmasked MAC addresses are exposed, but this could still be circumvented in the long run.
A forum I read suggested quarantining new devices that try to log onto networks. However I am uncertain on how to achieve this on a WAX214? I'm hoping it doesn't involve setting up VLANs - this sounds complicated to do and set up correctly, but if anyone can give advice on doing this easily, I'm happy to try it.
Another option might be a "if you violate this rule, you lose access for a week" to the wifi. If they're circumventing the security you have in place, it can put you in jeopardy (if they're looking up nefarious things) so they need to be aware of that and judge whether getting caught is worth the risk. Kids are going to try and get around security, we can only do the best we can.
What I have on mine is a pihole that I can put custom blocking lists. It can still be circumvented but it makes them work at it a bit and I can see when they're doing it.
Have an eye on the Chapter "Set up a MAC filter for an SSID" with a MAC address that allows access: An ACL with a policy that allows access functions please.
Thanks for the response plemans, I can't see a similar option available for the WAX214 as you've detailed sadly.
Your suggestion for the kids might have to be a fall-back - I basically tell them they're not allowed to enable private WiFi on their iPads, but then they'll know how to circumvent (if they want to risk punishment).
Thanks schumaku, I've got 'deny' set on the ACLs for the WAX214 against their iPads, but they just have to know the passwords and switch on private wifi to circumvent this, as this changes the iPad MAC address and allows them in, hence why I was looking for a 'new device' quarantine option.
The wax214 is an access point with a router mode(as far as I recall). Any chance you're actually using them as access points that is managed through a different router? Or is one of them in router mode?
If you have a different router acting as gateway, many times that has its own parental controls, access control list.
So I used some of the tips here, but there is no quarantine feature on the WAX214 (v1). As I've got many devices already using established 2.4 and 5 GHz wifi networks, I've taken off the 'private wifi' setting on the kids' iPads and iPhones, exposing their real MAC addresses, and kept the connections to the established networks intact, so the 'private wifi = off' setting is retained and not forgotten.
On the WAX214, I've then set the ACLs on these wifis to 'Deny' against those MAC addresses.
I created new wifi networks with the 'Allow' ACL to only their devices, which I now manage under the wifi scheduler.
I can also use the parental controls on the router to which the WAX214s are connected (a Linksys WRT3200ACM) in order to block specific websites against their MAC addresses, which I don't think is a feature on the WAX214.
Can anyone confirm what security risk is avoided by the use of private wifi 'random' MAC addresses? It's a very annoying feature that makes network management for kids' devices hard to maintain.
So I used some of the tips here, but there is no quarantine feature on the WAX214 (v1).
As I've got many devices already using established 2.4 and 5 GHz wifi networks, I've taken off the 'private wifi' setting on the kids' iPads and iPhones, exposing their real MAC addresses, and kept the connections to the established networks intact, so the 'private wifi = off' setting is retained and not forgotten.
On the WAX214, I've then set the ACLs on these wifis to 'Deny' against those MAC addresses.
The consumer devices have some kind of default allow-all MAC address mode, and add the ability to "quarantine" (== block or disallow MAC addresses of unknown devices).
So there -is- a quarantine feature - you have just configured the essentials of it.
I can also use the parental controls on the router to which the WAX214s are connected (a Linksys WRT3200ACM) in order to block specific websites against their MAC addresses, which I don't think is a feature on the WAX214.
Strongly doubt that's the way it really works. There is not MAC address to websites relation, much more that Linksys does monitor the DNS queries coming from the clients in plain text, and return either the correct IP address - or force the Web clients to some portal page saying "no kids, you re not allowed to see this." This works because most of the DNS traffic isn't encrypted or protected. Once your kids figured out on how to configure secured and encrypted DNS, daddy is on it's own alone. In consequence, on top what you implemented with the allowed MAC address list you would have to introduce and end-point-security to all devices. Means -all- mobiles, tablets, home appliances like a Thermomix, ...
Can anyone confirm what security risk is avoided by the use of private wifi 'random' MAC addresses? It's a very annoying feature that makes network management for kids' devices hard to maintain.
it's not about security, it's just about privacy - the privacy you wont allow your kids (or for the sake corporate users) on your very own network. That's also why enterprise network admins are actively pushing security policies (and sometimes applications) to all end points.
