On Wednesday 05 April 2006 04:22, Mark Jayson Alvarez wrote: > Hi Nikos > > Nikos Vassiliadis <[EMAIL PROTECTED]> wrote: On Monday 03 April 2006 10:34, Mark Jayson Alvarez wrote: > > Hi > > > > I am looking for ways to manage our LAN by having each user register > > their ipaddress, mac address, workstation os, etc. in our ldap directory. > > Now in our pcrouter, the users will first send his login credentials to > > the pcrouter, and then the pcrouter will check against ldap if this login > > is correct, and if it is, then it will now do an ldapsearch/compare > > operation to see if the source address (ip/mac) of the user trying to > > gain network access is indeed belongs to that user. Only then, the ipfw > > ruleset will be changed to allow traffic originating from this source > > address... > > <snip> > Does it have to be LDAP and ipfw? > there is authpf which.. > > Ofcourse this does not cover the IP|MAC address checking you mentioned, > but I don't see how this enhances security. It will be easy for a user to > change his IP|MAC address. > </snip> > > Our main problem is that in our company, each user has his own > workstation(no one else uses it).. However, due to poor implementation of > ip allocation strategy, any user can change his ip to whatever ip address > he wants, thus it would be hard for us to really monitor who is doing this > and who is doing that (because it would be useless to see the ip address of > the one who's eating up or bandwidth or doing p2p when we cannot determine > who is this user this ip belongs to. This leads us to our decision to have > every user assigned a static ip address and have him register his mac > address, all stored in ldap directory, and have him authenticate to the pc > router first before being allowed to access any server.
All these are not problems with the solution I suggest below > Authpf is somewhat > close to this idea but perhaps it was designed for environment wherein > users have no permanent workstation, or user can come from any location, > even outside the company(at home).... > > I have created a draft of my proposed solution: > > First, user will authenticate to a web based login form which is tied up > against the ip[f|fw|tables] ruleset. > > When the user submits the form, the cgi will then verify if the user is > really who he claims to be by doing an ldapbind using the credentials > provided. Also, the script will check if the request is coming from an ip > address that is assigned to that user, by comparing it to his ldap > attributes (somewhat prevents users from using other user's ip address). > > If everything goes well, the script will happily change the router's > firewall ruleset to allow the user to pass thru. (note that in our setup, > we have allocated a single class C ip block for all the staffs(120) (no > need to have separate blocks since all policies applies to all). Also, we > have placed all the servers (mail, proxy, file, printer, im etc) in a > different block to make sure that authentication will happen first before a > user is allowed to access any of those servers. > > Next, we will also provide a logout form(the same as logging out from ssh > session in authpf) so that the ruleset can be reverted back when the user > does not want to access any network server anymore. The problem with this > is that users may be too lazy to logout to the network authentication.. In > authpf, even the user did not logout from his ssh session, when he turns > off his computer, the ssh session will automatically be terminated. I'm > thinking perhaps I can have a nagios server constantly monitoring each > user's network connectivity and then changing the firewall ruleset once the > user's machine is unreacheable... > > Another problem I am thinking is that, when a user has already > authenticated to the router and have his ip address verified and has been > allowed in the firewall, another smart user might immediately change his > ip/mac address to that of the authenticated user, and thus making it hard > to track his network activity again.. I'm still going to investigate if > arpwatch can fill this need.... > > > What do you think??? I think all these can be addressed with mpd & RADIUS... read bellow > > > If it isn't too much trouble you can use PPPoE and/or PPTP with mpd & RADIUS. You'll then have: 1) username/password authorization 2) dynamic or static IP address assignment from predefined ranges 3) accounting per username 4) traffic control per IP address(ipfw dummynet)* 5) other interesting RADIUS or PPP features. For example: a) idle-timeout(the user is not using the network and will be logged off). b) session-timeout(the user will have a forced log-out after, let's say, 10 hours). c) session control. You will know if the connection is "up", no matter the traffic. *) actually very few ipfw rules. Two rules per bandwidth category (384/128, 512/256 etc). I used ipfw tables for that. mpd can also do per-user ipfw-rules if you want that Something that might interest you, is that FreeRadius can use LDAP backend. PPPOE clients exist in every Unix-like OpenSourceSoft OS PPTP is the windows native VPN I would choose PPPoE, it's lightweight compared to PPTP. You mentioned that the staff is on its own LAN segment, right?? I don't know if DHCP can cover your needs, in an all-super-user enviroment. I think this can. But its complicated. I have configuration I can share if you want. Infact I was planning to write a howto... > > > > > HTH, Nikos > > > Anyone have gone with this solution before?? > > > > Thanks > > > > > > --------------------------------- > > Blab-away for as little as 1ยข/min. Make PC-to-Phone Calls using Yahoo! > > Messenger with Voice. _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "[EMAIL PROTECTED]" > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > > > --------------------------------- > New Yahoo! Messenger with Voice. Call regular phones from your PC and save > big. _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"