[CentOS] [OT] DHCP auth&auth software

Mon Oct 19 09:41:24 UTC 2009
Marko Vojinovic <vvmarko at gmail.com>

On Monday 19 October 2009 08:05:39 Amos Shapira wrote:
> 2009/10/19 Marko Vojinovic <vvmarko at gmail.com>:
> > with a form the user is supposed to fill in and send. After he does so,
> > an administrator does a sanity check of the data the user provided, and
> > grants or denies access. If access is granted, the user gets a new,
> > unrestricted dhcp lease, which provides him with a normal access to local
> > network.
> 
> Just be aware that, as far as I hear the experts, MAC addresses can be
> sniffed off the air even on "protected"/"encrypted" WiFi networks and
> so an intruder can find authorised ones. So trusting the MAC address
> for authentication is not secure.

Thanks for the warning, but my issue is maintenance rather than security. My 
Institute hosts cca 250 researchers and employees, each having a desktop 
machine and every other having a laptop in addition, so I have more or less 
400 machines on the network every day. And when one of them starts spamming or 
spreading viruses or downloading illegal material via p2p or whatever, first 
thing I need to do is to locate the machine among 400 others in a 3-floor 
building. Or at least determine the machine owner.

I've never had a case of deliberate network intrusion&misuse, since physical 
access to the building is rather restricted. So far problems have occurred 
exclusively because of user ignorance. Users don't bother to obey local policy 
about p2p, antivirus and other protection, so I have to find them and make them 
obey it. And finding them is not easy if the only information I have is the 
dynamically assigned IP.

> The way I hear that this is usually done is to create a VPN tunnel
> over the WiFi connection. Legitimate users still have to authenticate
> over that VPN tunnel and therefore even a fake sniffed MAC address
> won't help an intruder. The VPN also enhances protection of legitimate
> traffic.

I agree this would be more secure, but is an overkill in my situation. And it 
makes life more complicated for me and other admins, as well as users. :-)

But nevertheless, thanks for the info! :-)

Best, :-)
Marko