Re: [CentOS] [OT] DHCP auth&auth software

[Antonio da Silva Martins Junior]

- "Marko Vojinovic"  escreveu:

> Does anyone know about some free (as in beer, and maybe as in speech)
> software which would implement authentication and authorization of a user 
> prior
> to issuing a valid dhcp lease?
> 
> I imagine the following scenario: someone walks into my office
> building with a laptop (a colleague, a visitor, a guest, whoever), and hooks 
> up onto
> the local net (wired or wireless). The server detects an unknown MAC address,
> issues a bogus dhcp lease which resolves all dns queries to a single internal
> web page with a form the user is supposed to fill in and send. After he does
> so, an administrator does a sanity check of the data the user provided, and
> grants or denies access. If access is granted, the user gets a new, 
> unrestricted
> dhcp lease, which provides him with a normal access to local network.
> 
> The goal is to have a database which relates IP or MAC addresses to
> people names, so I can track a person down efficiently if he brings an 
> infected/spamming machine into the building.
> 
> I would know how to build this infrastructure manually, but it's a lot
> of work, and I don't want to reinvent the wheel. Google somehow failed to
> help, or I failed to provide the right keywords. :-(
> 

After reading this thread I think you can try PacketFence (www.packetfence.org)
and there are some others less powerfull ones on the wikipedia under the NAC 
topic: http://en.wikipedia.org/wiki/Network_Access_Control

   Antonio.

-- 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Antonio S. Martins Jr. - Support Analist | "Only The Shadow Knows |
| Universidade Estadual de Maringá - Brasil|   what evil lurks in the   |
| NPD - Núcleo de Processamento de Dados   |   Heart of Men!"   |
| E-Mail: asmart...@uem.br / sha...@uem.br | !!! Linux User: 52392 !!!  |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 "Real Programmers don’t need comments — the code is obvious."

-- 
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] DHCP auth&auth software

[Chan Chung Hang Christopher]

Marko Vojinovic wrote:
> Does anyone know about some free (as in beer, and maybe as in speech) 
> software 
> which would implement authentication and authorization of a user prior to 
> issuing a valid dhcp lease?
>
> I imagine the following scenario: someone walks into my office building with 
> a 
> laptop (a colleague, a visitor, a guest, whoever), and hooks up onto the 
> local 
> net (wired or wireless). The server detects an unknown MAC address, issues a 
> bogus dhcp lease which resolves all dns queries to a single internal web page 
> with a form the user is supposed to fill in and send. After he does so, an 
> administrator does a sanity check of the data the user provided, and grants 
> or 
> denies access. If access is granted, the user gets a new, unrestricted dhcp 
> lease, which provides him with a normal access to local network.
>   

What about 802.11x authentication? If they are authenticated, they are 
assigned to the 'internal' vlan and if not, an alert or something else 
is triggered?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] DHCP auth&auth software

[Marko Vojinovic]

On Monday 19 October 2009 01:36:58 Mathew S. McCarrell wrote:
> On Sun, Oct 18, 2009 at 11:38 AM, Marko Vojinovic  wrote:
> > On Sunday 18 October 2009 15:18:29 Jonathan Moore wrote:
> > > On Sun, Oct 18, 2009 at 8:58 AM, Marko Vojinovic 
> >
> > wrote:
> > > > I imagine the following scenario: someone walks into my office
> > > > building with a laptop (a colleague, a visitor, a guest, whoever),
> > > > and hooks up onto the local net (wired or wireless). The server
> > > > detects an unknown
> >
> > MAC
> >
> > > > address, issues a bogus dhcp lease which resolves all dns queries to
> > > > a single internal web page with a form the user is supposed to fill
> > > > in
> >
> > and
> >
> > > > send. After he does so, an administrator does a sanity check of the
> >
> > data
> >
> > > > the user provided, and grants or denies access. If access is granted,
> >
> > the
> >
> > > > user gets a new, unrestricted dhcp lease, which provides him with a
> > > > normal access to local network.
> > > >
> > > > So what are my options?
> 
> You might find Netreg (http://netreg.sourceforge.net/) useful.  My
> university uses it and it works quite well.

This also looks promising. Thanks for the info! :-)

Best, :-)
Marko



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] DHCP auth&auth software

[Amos Shapira]

2009/10/19 Marko Vojinovic :
> I've never had a case of deliberate network intrusion&misuse, since physical
> access to the building is rather restricted. So far problems have occurred
> exclusively because of user ignorance. Users don't bother to obey local policy
> about p2p, antivirus and other protection, so I have to find them and make 
> them
> obey it. And finding them is not easy if the only information I have is the
> dynamically assigned IP.

I understand now that your situation is different from the one I
envisioned when I wrote my previous post.

Just wondering how easy is it to get within reach of your WiFi network
- my mobile phone keeps picking up wireless networks wherever I go in
urban areas and almost every stop outside the city (petrol stations
etc).

Is your building isolated enough to prevent someone from accessing
your wireless networks from outside the secure area?

Cheers,

--Amos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] DHCP auth&auth software

[Marko Vojinovic]

On Monday 19 October 2009 08:05:39 Amos Shapira wrote:
> 2009/10/19 Marko Vojinovic :
> > with a form the user is supposed to fill in and send. After he does so,
> > an administrator does a sanity check of the data the user provided, and
> > grants or denies access. If access is granted, the user gets a new,
> > unrestricted dhcp lease, which provides him with a normal access to local
> > network.
> 
> Just be aware that, as far as I hear the experts, MAC addresses can be
> sniffed off the air even on "protected"/"encrypted" WiFi networks and
> so an intruder can find authorised ones. So trusting the MAC address
> for authentication is not secure.

Thanks for the warning, but my issue is maintenance rather than security. My 
Institute hosts cca 250 researchers and employees, each having a desktop 
machine and every other having a laptop in addition, so I have more or less 
400 machines on the network every day. And when one of them starts spamming or 
spreading viruses or downloading illegal material via p2p or whatever, first 
thing I need to do is to locate the machine among 400 others in a 3-floor 
building. Or at least determine the machine owner.

I've never had a case of deliberate network intrusion&misuse, since physical 
access to the building is rather restricted. So far problems have occurred 
exclusively because of user ignorance. Users don't bother to obey local policy 
about p2p, antivirus and other protection, so I have to find them and make them 
obey it. And finding them is not easy if the only information I have is the 
dynamically assigned IP.

> The way I hear that this is usually done is to create a VPN tunnel
> over the WiFi connection. Legitimate users still have to authenticate
> over that VPN tunnel and therefore even a fake sniffed MAC address
> won't help an intruder. The VPN also enhances protection of legitimate
> traffic.

I agree this would be more secure, but is an overkill in my situation. And it 
makes life more complicated for me and other admins, as well as users. :-)

But nevertheless, thanks for the info! :-)

Best, :-)
Marko

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] DHCP auth&auth software

[Amos Shapira]

2009/10/19 Marko Vojinovic :
> with a form the user is supposed to fill in and send. After he does so, an
> administrator does a sanity check of the data the user provided, and grants or
> denies access. If access is granted, the user gets a new, unrestricted dhcp
> lease, which provides him with a normal access to local network.

Just be aware that, as far as I hear the experts, MAC addresses can be
sniffed off the air even on "protected"/"encrypted" WiFi networks and
so an intruder can find authorised ones. So trusting the MAC address
for authentication is not secure.

The way I hear that this is usually done is to create a VPN tunnel
over the WiFi connection. Legitimate users still have to authenticate
over that VPN tunnel and therefore even a fake sniffed MAC address
won't help an intruder. The VPN also enhances protection of legitimate
traffic.

I never implemented this (neither the WiFi protection nor the MAC
sniffing) so can't testify from personal experience.

Cheers,

--Amos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] DHCP auth&auth software

[Mathew S. McCarrell]

On Sun, Oct 18, 2009 at 11:38 AM, Marko Vojinovic  wrote:

> On Sunday 18 October 2009 15:18:29 Jonathan Moore wrote:
> > On Sun, Oct 18, 2009 at 8:58 AM, Marko Vojinovic 
> wrote:
> > > I imagine the following scenario: someone walks into my office building
> > > with a laptop (a colleague, a visitor, a guest, whoever), and hooks up
> > > onto the local net (wired or wireless). The server detects an unknown
> MAC
> > > address, issues a bogus dhcp lease which resolves all dns queries to a
> > > single internal web page with a form the user is supposed to fill in
> and
> > > send. After he does so, an administrator does a sanity check of the
> data
> > > the user provided, and grants or denies access. If access is granted,
> the
> > > user gets a new, unrestricted dhcp lease, which provides him with a
> > > normal access to local network.
> > >
> > > So what are my options?
> >
>

You might find Netreg (http://netreg.sourceforge.net/) useful.  My
university uses it and it works quite well.

Matt

--
Mathew S. McCarrell
Clarkson University '10

mccar...@gmail.com
mccar...@clarkson.edu
1-518-314-9214
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] DHCP auth&auth software

[Marko Vojinovic]

On Sunday 18 October 2009 15:18:29 Jonathan Moore wrote:
> On Sun, Oct 18, 2009 at 8:58 AM, Marko Vojinovic  wrote:
> > I imagine the following scenario: someone walks into my office building
> > with a laptop (a colleague, a visitor, a guest, whoever), and hooks up
> > onto the local net (wired or wireless). The server detects an unknown MAC
> > address, issues a bogus dhcp lease which resolves all dns queries to a
> > single internal web page with a form the user is supposed to fill in and
> > send. After he does so, an administrator does a sanity check of the data
> > the user provided, and grants or denies access. If access is granted, the
> > user gets a new, unrestricted dhcp lease, which provides him with a
> > normal access to local network.
> >
> > So what are my options?
> 
> Maybe a Network Access Control solution, either from a vendor such as Cisco
> or a "roll your own" with something like .

Ok, this looks promising, I'll give it a detailed look tomorrow. Thanks for 
the info! :-)

Best, :-)
Marko


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] DHCP auth&auth software

[Jonathan Moore]

On Sun, Oct 18, 2009 at 8:58 AM, Marko Vojinovic  wrote:
---8<
> I imagine the following scenario: someone walks into my office building with a
> laptop (a colleague, a visitor, a guest, whoever), and hooks up onto the local
> net (wired or wireless). The server detects an unknown MAC address, issues a
> bogus dhcp lease which resolves all dns queries to a single internal web page
> with a form the user is supposed to fill in and send. After he does so, an
> administrator does a sanity check of the data the user provided, and grants or
> denies access. If access is granted, the user gets a new, unrestricted dhcp
> lease, which provides him with a normal access to local network.
--->8
> So what are my options?

Maybe a Network Access Control solution, either from a vendor such as Cisco
or a "roll your own" with something like .

The theory would be that clients are granted restricted access, then some checks
are made, and only if they pass, are they given real access.  Wouldn't
be to hard
to use a name somewhere in there to track WHO and not only WHAT is connecting.

-jonathan
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos