Does anyone know about some free (as in beer, and maybe as in speech) software which would implement authentication and authorization of a user prior to issuing a valid dhcp lease? I imagine the following scenario: someone walks into my office building with a laptop (a colleague, a visitor, a guest, whoever), and hooks up onto the local net (wired or wireless). The server detects an unknown MAC address, issues a bogus dhcp lease which resolves all dns queries to a single internal web page with a form the user is supposed to fill in and send. After he does so, an administrator does a sanity check of the data the user provided, and grants or denies access. If access is granted, the user gets a new, unrestricted dhcp lease, which provides him with a normal access to local network. The goal is to have a database which relates IP or MAC addresses to people names, so I can track a person down efficiently if he brings an infected/spamming machine into the building. I would know how to build this infrastructure manually, but it's a lot of work, and I don't want to reinvent the wheel. Google somehow failed to help, or I failed to provide the right keywords. :-( So what are my options? TIA, :-) Marko
On Sun, Oct 18, 2009 at 8:58 AM, Marko Vojinovic <vvmarko at gmail.com> wrote: ---8<----> I imagine the following scenario: someone walks into my office building with a > laptop (a colleague, a visitor, a guest, whoever), and hooks up onto the local > net (wired or wireless). The server detects an unknown MAC address, issues a > bogus dhcp lease which resolves all dns queries to a single internal web page > with a form the user is supposed to fill in and send. After he does so, an > administrator does a sanity check of the data the user provided, and grants or > denies access. If access is granted, the user gets a new, unrestricted dhcp > lease, which provides him with a normal access to local network.--->8----> So what are my options?Maybe a Network Access Control solution, either from a vendor such as Cisco or a "roll your own" with something like <http://freenac.org>. The theory would be that clients are granted restricted access, then some checks are made, and only if they pass, are they given real access. Wouldn't be to hard to use a name somewhere in there to track WHO and not only WHAT is connecting. -jonathan
2009/10/19 Marko Vojinovic <vvmarko at gmail.com>:> with a form the user is supposed to fill in and send. After he does so, an > administrator does a sanity check of the data the user provided, and grants or > denies access. If access is granted, the user gets a new, unrestricted dhcp > lease, which provides him with a normal access to local network.Just be aware that, as far as I hear the experts, MAC addresses can be sniffed off the air even on "protected"/"encrypted" WiFi networks and so an intruder can find authorised ones. So trusting the MAC address for authentication is not secure. The way I hear that this is usually done is to create a VPN tunnel over the WiFi connection. Legitimate users still have to authenticate over that VPN tunnel and therefore even a fake sniffed MAC address won't help an intruder. The VPN also enhances protection of legitimate traffic. I never implemented this (neither the WiFi protection nor the MAC sniffing) so can't testify from personal experience. Cheers, --Amos
Marko Vojinovic wrote:> Does anyone know about some free (as in beer, and maybe as in speech) software > which would implement authentication and authorization of a user prior to > issuing a valid dhcp lease? > > I imagine the following scenario: someone walks into my office building with a > laptop (a colleague, a visitor, a guest, whoever), and hooks up onto the local > net (wired or wireless). The server detects an unknown MAC address, issues a > bogus dhcp lease which resolves all dns queries to a single internal web page > with a form the user is supposed to fill in and send. After he does so, an > administrator does a sanity check of the data the user provided, and grants or > denies access. If access is granted, the user gets a new, unrestricted dhcp > lease, which provides him with a normal access to local network. >What about 802.11x authentication? If they are authenticated, they are assigned to the 'internal' vlan and if not, an alert or something else is triggered?
Antonio da Silva Martins Junior
2009-Oct-19 20:12 UTC
[CentOS] [OT] DHCP auth&auth software
----- "Marko Vojinovic" <vvmarko at gmail.com> escreveu:> Does anyone know about some free (as in beer, and maybe as in speech) > software which would implement authentication and authorization of a user prior > to issuing a valid dhcp lease? > > I imagine the following scenario: someone walks into my office > building with a laptop (a colleague, a visitor, a guest, whoever), and hooks up onto > the local net (wired or wireless). The server detects an unknown MAC address, > issues a bogus dhcp lease which resolves all dns queries to a single internal > web page with a form the user is supposed to fill in and send. After he does > so, an administrator does a sanity check of the data the user provided, and > grants or denies access. If access is granted, the user gets a new, unrestricted > dhcp lease, which provides him with a normal access to local network. > > The goal is to have a database which relates IP or MAC addresses to > people names, so I can track a person down efficiently if he brings an > infected/spamming machine into the building. > > I would know how to build this infrastructure manually, but it's a lot > of work, and I don't want to reinvent the wheel. Google somehow failed to > help, or I failed to provide the right keywords. :-( >After reading this thread I think you can try PacketFence (www.packetfence.org) and there are some others less powerfull ones on the wikipedia under the NAC topic: http://en.wikipedia.org/wiki/Network_Access_Control Antonio. -- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Antonio S. Martins Jr. - Support Analist | "Only The Shadow Knows | | Universidade Estadual de Maring? - Brasil| what evil lurks in the | | NPD - N?cleo de Processamento de Dados | Heart of Men!" | | E-Mail: asmartins at uem.br / shadow at uem.br | !!! Linux User: 52392 !!! | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ "Real Programmers don?t need comments ? the code is obvious." -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo.