[CentOS] [OT] DHCP auth&auth software
Marko Vojinovic
vvmarko at gmail.com
Mon Oct 19 09:41:24 UTC 2009
On Monday 19 October 2009 08:05:39 Amos Shapira wrote:
> 2009/10/19 Marko Vojinovic <vvmarko at gmail.com>:
> > with a form the user is supposed to fill in and send. After he does so,
> > an administrator does a sanity check of the data the user provided, and
> > grants or denies access. If access is granted, the user gets a new,
> > unrestricted dhcp lease, which provides him with a normal access to local
> > network.
>
> Just be aware that, as far as I hear the experts, MAC addresses can be
> sniffed off the air even on "protected"/"encrypted" WiFi networks and
> so an intruder can find authorised ones. So trusting the MAC address
> for authentication is not secure.
Thanks for the warning, but my issue is maintenance rather than security. My
Institute hosts cca 250 researchers and employees, each having a desktop
machine and every other having a laptop in addition, so I have more or less
400 machines on the network every day. And when one of them starts spamming or
spreading viruses or downloading illegal material via p2p or whatever, first
thing I need to do is to locate the machine among 400 others in a 3-floor
building. Or at least determine the machine owner.
I've never had a case of deliberate network intrusion&misuse, since physical
access to the building is rather restricted. So far problems have occurred
exclusively because of user ignorance. Users don't bother to obey local policy
about p2p, antivirus and other protection, so I have to find them and make them
obey it. And finding them is not easy if the only information I have is the
dynamically assigned IP.
> The way I hear that this is usually done is to create a VPN tunnel
> over the WiFi connection. Legitimate users still have to authenticate
> over that VPN tunnel and therefore even a fake sniffed MAC address
> won't help an intruder. The VPN also enhances protection of legitimate
> traffic.
I agree this would be more secure, but is an overkill in my situation. And it
makes life more complicated for me and other admins, as well as users. :-)
But nevertheless, thanks for the info! :-)
Best, :-)
Marko
More information about the CentOS
mailing list