Does anyone know about some free (as in beer, and maybe as in speech) software which would implement authentication and authorization of a user prior to issuing a valid dhcp lease?
I imagine the following scenario: someone walks into my office building with a laptop (a colleague, a visitor, a guest, whoever), and hooks up onto the local net (wired or wireless). The server detects an unknown MAC address, issues a bogus dhcp lease which resolves all dns queries to a single internal web page with a form the user is supposed to fill in and send. After he does so, an administrator does a sanity check of the data the user provided, and grants or denies access. If access is granted, the user gets a new, unrestricted dhcp lease, which provides him with a normal access to local network.
The goal is to have a database which relates IP or MAC addresses to people names, so I can track a person down efficiently if he brings an infected/spamming machine into the building.
I would know how to build this infrastructure manually, but it's a lot of work, and I don't want to reinvent the wheel. Google somehow failed to help, or I failed to provide the right keywords. :-(
So what are my options?
TIA, :-) Marko
On Sun, Oct 18, 2009 at 8:58 AM, Marko Vojinovic vvmarko@gmail.com wrote: ---8<----
I imagine the following scenario: someone walks into my office building with a laptop (a colleague, a visitor, a guest, whoever), and hooks up onto the local net (wired or wireless). The server detects an unknown MAC address, issues a bogus dhcp lease which resolves all dns queries to a single internal web page with a form the user is supposed to fill in and send. After he does so, an administrator does a sanity check of the data the user provided, and grants or denies access. If access is granted, the user gets a new, unrestricted dhcp lease, which provides him with a normal access to local network.
--->8----
So what are my options?
Maybe a Network Access Control solution, either from a vendor such as Cisco or a "roll your own" with something like http://freenac.org.
The theory would be that clients are granted restricted access, then some checks are made, and only if they pass, are they given real access. Wouldn't be to hard to use a name somewhere in there to track WHO and not only WHAT is connecting.
-jonathan
On Sunday 18 October 2009 15:18:29 Jonathan Moore wrote:
On Sun, Oct 18, 2009 at 8:58 AM, Marko Vojinovic vvmarko@gmail.com wrote:
I imagine the following scenario: someone walks into my office building with a laptop (a colleague, a visitor, a guest, whoever), and hooks up onto the local net (wired or wireless). The server detects an unknown MAC address, issues a bogus dhcp lease which resolves all dns queries to a single internal web page with a form the user is supposed to fill in and send. After he does so, an administrator does a sanity check of the data the user provided, and grants or denies access. If access is granted, the user gets a new, unrestricted dhcp lease, which provides him with a normal access to local network.
So what are my options?
Maybe a Network Access Control solution, either from a vendor such as Cisco or a "roll your own" with something like http://freenac.org.
Ok, this looks promising, I'll give it a detailed look tomorrow. Thanks for the info! :-)
Best, :-) Marko
On Sun, Oct 18, 2009 at 11:38 AM, Marko Vojinovic vvmarko@gmail.com wrote:
On Sunday 18 October 2009 15:18:29 Jonathan Moore wrote:
On Sun, Oct 18, 2009 at 8:58 AM, Marko Vojinovic vvmarko@gmail.com
wrote:
I imagine the following scenario: someone walks into my office building with a laptop (a colleague, a visitor, a guest, whoever), and hooks up onto the local net (wired or wireless). The server detects an unknown
MAC
address, issues a bogus dhcp lease which resolves all dns queries to a single internal web page with a form the user is supposed to fill in
and
send. After he does so, an administrator does a sanity check of the
data
the user provided, and grants or denies access. If access is granted,
the
user gets a new, unrestricted dhcp lease, which provides him with a normal access to local network.
So what are my options?
You might find Netreg (http://netreg.sourceforge.net/) useful. My university uses it and it works quite well.
Matt
-- Mathew S. McCarrell Clarkson University '10
mccarrms@gmail.com mccarrms@clarkson.edu 1-518-314-9214
On Monday 19 October 2009 01:36:58 Mathew S. McCarrell wrote:
On Sun, Oct 18, 2009 at 11:38 AM, Marko Vojinovic vvmarko@gmail.com wrote:
On Sunday 18 October 2009 15:18:29 Jonathan Moore wrote:
On Sun, Oct 18, 2009 at 8:58 AM, Marko Vojinovic vvmarko@gmail.com
wrote:
I imagine the following scenario: someone walks into my office building with a laptop (a colleague, a visitor, a guest, whoever), and hooks up onto the local net (wired or wireless). The server detects an unknown
MAC
address, issues a bogus dhcp lease which resolves all dns queries to a single internal web page with a form the user is supposed to fill in
and
send. After he does so, an administrator does a sanity check of the
data
the user provided, and grants or denies access. If access is granted,
the
user gets a new, unrestricted dhcp lease, which provides him with a normal access to local network.
So what are my options?
You might find Netreg (http://netreg.sourceforge.net/) useful. My university uses it and it works quite well.
This also looks promising. Thanks for the info! :-)
Best, :-) Marko
2009/10/19 Marko Vojinovic vvmarko@gmail.com:
with a form the user is supposed to fill in and send. After he does so, an administrator does a sanity check of the data the user provided, and grants or denies access. If access is granted, the user gets a new, unrestricted dhcp lease, which provides him with a normal access to local network.
Just be aware that, as far as I hear the experts, MAC addresses can be sniffed off the air even on "protected"/"encrypted" WiFi networks and so an intruder can find authorised ones. So trusting the MAC address for authentication is not secure.
The way I hear that this is usually done is to create a VPN tunnel over the WiFi connection. Legitimate users still have to authenticate over that VPN tunnel and therefore even a fake sniffed MAC address won't help an intruder. The VPN also enhances protection of legitimate traffic.
I never implemented this (neither the WiFi protection nor the MAC sniffing) so can't testify from personal experience.
Cheers,
--Amos
On Monday 19 October 2009 08:05:39 Amos Shapira wrote:
2009/10/19 Marko Vojinovic vvmarko@gmail.com:
with a form the user is supposed to fill in and send. After he does so, an administrator does a sanity check of the data the user provided, and grants or denies access. If access is granted, the user gets a new, unrestricted dhcp lease, which provides him with a normal access to local network.
Just be aware that, as far as I hear the experts, MAC addresses can be sniffed off the air even on "protected"/"encrypted" WiFi networks and so an intruder can find authorised ones. So trusting the MAC address for authentication is not secure.
Thanks for the warning, but my issue is maintenance rather than security. My Institute hosts cca 250 researchers and employees, each having a desktop machine and every other having a laptop in addition, so I have more or less 400 machines on the network every day. And when one of them starts spamming or spreading viruses or downloading illegal material via p2p or whatever, first thing I need to do is to locate the machine among 400 others in a 3-floor building. Or at least determine the machine owner.
I've never had a case of deliberate network intrusion&misuse, since physical access to the building is rather restricted. So far problems have occurred exclusively because of user ignorance. Users don't bother to obey local policy about p2p, antivirus and other protection, so I have to find them and make them obey it. And finding them is not easy if the only information I have is the dynamically assigned IP.
The way I hear that this is usually done is to create a VPN tunnel over the WiFi connection. Legitimate users still have to authenticate over that VPN tunnel and therefore even a fake sniffed MAC address won't help an intruder. The VPN also enhances protection of legitimate traffic.
I agree this would be more secure, but is an overkill in my situation. And it makes life more complicated for me and other admins, as well as users. :-)
But nevertheless, thanks for the info! :-)
Best, :-) Marko
2009/10/19 Marko Vojinovic vvmarko@gmail.com:
I've never had a case of deliberate network intrusion&misuse, since physical access to the building is rather restricted. So far problems have occurred exclusively because of user ignorance. Users don't bother to obey local policy about p2p, antivirus and other protection, so I have to find them and make them obey it. And finding them is not easy if the only information I have is the dynamically assigned IP.
I understand now that your situation is different from the one I envisioned when I wrote my previous post.
Just wondering how easy is it to get within reach of your WiFi network - my mobile phone keeps picking up wireless networks wherever I go in urban areas and almost every stop outside the city (petrol stations etc).
Is your building isolated enough to prevent someone from accessing your wireless networks from outside the secure area?
Cheers,
--Amos
Marko Vojinovic wrote:
Does anyone know about some free (as in beer, and maybe as in speech) software which would implement authentication and authorization of a user prior to issuing a valid dhcp lease?
I imagine the following scenario: someone walks into my office building with a laptop (a colleague, a visitor, a guest, whoever), and hooks up onto the local net (wired or wireless). The server detects an unknown MAC address, issues a bogus dhcp lease which resolves all dns queries to a single internal web page with a form the user is supposed to fill in and send. After he does so, an administrator does a sanity check of the data the user provided, and grants or denies access. If access is granted, the user gets a new, unrestricted dhcp lease, which provides him with a normal access to local network.
What about 802.11x authentication? If they are authenticated, they are assigned to the 'internal' vlan and if not, an alert or something else is triggered?
-
Amos Shapira -
Chan Chung Hang Christopher -
Jonathan Moore -
Marko Vojinovic -
Mathew S. McCarrell