RE: Forced DHCP setup
Hello! El mié, 30-10-2002 a las 15:59, C. R. Oldham escribió: ... > It is possible, in hotels that have broadband in rooms, and on some > university campuses I've been too they have a DHCP server setup to serve > addresses from a private block. On that network there is a webserver ... > > Sorry, I don't know of any opensource packages to do this, but it > shouldn't be too hard. Last week I sneeked through and anouncment of an OpenSource "authentication server", which seems to do just this. However, I'm not very helpful, because I cannot remember exactly what was it's name ... coming back to the original question: > Of course, unless you setup your routers to block packets based on MAC > address this won't prevent someone from "guessing" a valid IP and > setting it up static. ... At UNI we will be using IRM to register MAC/IP/hostnames and use a script (I think it is some lines of perl) to create the dhcpd.conf and tinydns-data files for DHCP and DNS. Of course, iptables rules should be easy to create (as well as bind zone-files) too. This way, we just register a new computers MAC, it's user and hostname an asign it an IP number. Rest will be pushed into the systems configuration. However this does not tie a user to his/her computer... Best Regards, Jorge-León P.S.: If you ask for the scripts, you'll have to contribute! They are just not there by now... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
[RE: Forced DHCP setup]
- Forwarded message from "C. R. Oldham" <[EMAIL PROTECTED]> ----- Subject: RE: Forced DHCP setup Date: Wed, 30 Oct 2002 14:59:50 -0700 Thread-Topic: Forced DHCP setup thread-index: AcKAXvIhf9+r261WRXev1Z9laq2INAAAKyng > I don't believe it's possible to have a user log in to get an IP. It is possible, in hotels that have broadband in rooms, and on some university campuses I've been too they have a DHCP server setup to serve addresses from a private block. On that network there is a webserver setup to intercept any http request coming from a client in the private block and redirect the user to a page where he/she has to login. On login a cgi (or some such) makes a change in the DHCP database to allocate the user a "real" IP. The user gets instructions on the ensuing webpage to do a release/renew and boom they are setup. A lot of hotels and public areas use a box from Nomadix that will accept ANY ip that a client has, even duplicates, and allow the client to maintain the ip that's set. This is particularly excellent when Joe Traveller plugs into the wall outlet with his laptop from the office that's configured for 172.16.104.12/24 and the hotel uses 192.168.34.0/20 for it's normal DHCP range. These nomadix boxes do nearly all their work based on MAC address and don't really care what ip anyone has. Same for DNS queries, it sees a DNS query anywhere on the network? It answers. Sending mail? Port 25 gets pushed through the Nomadix too. It's all at the MAC layer for those devices. That would be a great way to make what you want work, is at the MAC layer instead of the IP layer. Of course, it's a lot more work as it's less common, but I think someone mentioned NoCatAuth in the thread - pursue that - it might be helpful. The Nomadix info is proprietary and not Open Source can't use that. HTH j
[RE: Forced DHCP setup]
- Forwarded message from "C. R. Oldham" <[EMAIL PROTECTED]> ----- Subject: RE: Forced DHCP setup Date: Wed, 30 Oct 2002 14:59:50 -0700 Thread-Topic: Forced DHCP setup thread-index: AcKAXvIhf9+r261WRXev1Z9laq2INAAAKyng > I don't believe it's possible to have a user log in to get an IP. It is possible, in hotels that have broadband in rooms, and on some university campuses I've been too they have a DHCP server setup to serve addresses from a private block. On that network there is a webserver setup to intercept any http request coming from a client in the private block and redirect the user to a page where he/she has to login. On login a cgi (or some such) makes a change in the DHCP database to allocate the user a "real" IP. The user gets instructions on the ensuing webpage to do a release/renew and boom they are setup. A lot of hotels and public areas use a box from Nomadix that will accept ANY ip that a client has, even duplicates, and allow the client to maintain the ip that's set. This is particularly excellent when Joe Traveller plugs into the wall outlet with his laptop from the office that's configured for 172.16.104.12/24 and the hotel uses 192.168.34.0/20 for it's normal DHCP range. These nomadix boxes do nearly all their work based on MAC address and don't really care what ip anyone has. Same for DNS queries, it sees a DNS query anywhere on the network? It answers. Sending mail? Port 25 gets pushed through the Nomadix too. It's all at the MAC layer for those devices. That would be a great way to make what you want work, is at the MAC layer instead of the IP layer. Of course, it's a lot more work as it's less common, but I think someone mentioned NoCatAuth in the thread - pursue that - it might be helpful. The Nomadix info is proprietary and not Open Source can't use that. HTH j -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Forced DHCP setup
NoCatAuth (nocat.net) does exactly this. Although I think NoCat is designed with wireless in mind. Not sure if it works with normal wired network cards, but I can't see any reason why it wouldn't. On Wed, 30 Oct 2002, C. R. Oldham wrote: > > I don't believe it's possible to have a user log in to get an IP. > > It is possible, in hotels that have broadband in rooms, and on some > university campuses I've been too they have a DHCP server setup to serve > addresses from a private block. On that network there is a webserver > setup to intercept any http request coming from a client in the private > block and redirect the user to a page where he/she has to login. On > login a cgi (or some such) makes a change in the DHCP database to > allocate the user a "real" IP. The user gets instructions on the > ensuing webpage to do a release/renew and boom they are setup. > > Sorry, I don't know of any opensource packages to do this, but it > shouldn't be too hard. > > Of course, unless you setup your routers to block packets based on MAC > address this won't prevent someone from "guessing" a valid IP and > setting it up static. > > -- > C. R. Oldham > Director of Technology > NCA CASI > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: Forced DHCP setup
Alex, I suppose you could parse your leases file and create your firewalls ruleset from that. I know that it's possible to have DHCP notify a DDNS server to update its records so maybe it would be possible to have the DHCP server update a firewall ruleset on the fly. Of course, that doesn't stop someone from setting their own IP to that of another user. Joe Average Windows user won't know how but it's not very strong security. Other than that, you could try setting up a proxy forwarding requestes to a login page as another poster suggested but that may be _too_ cumbersome for an ISP. Regards, Kourosh On Wed, Oct 30, 2002 at 03:55:45PM -0600, Alex Borges (lex) wrote: > Tx for the fast response:)... > > Now, i know i can assign static ip's through macs and i already have > some ways to collect all macs from everybody, no problem. The thing is, > what if the user changes his ip address? How can i ensure that, if > you dont have a lease in dhcp (if you didnt get it from dhcp) then youre > blocked. > > Im a checking the mans of coursetx a lot ... > > Lex > > El mi?, 30-10-2002 a las 15:57, Kourosh escribi?: > > On Wed, Oct 30, 2002 at 03:39:01PM -0600, Alex Borges (lex) wrote: > > > Hey... I want to tie up users to ip addresses and machines. This way i > > > can easyly mangle bandwith, squid acls and lots of stuff through my > > > woody box > > > > > > > > > So im thinking maybe the solution is to force users to obtain ip's from > > > dhcp and, i users take an ip for which they have no lease, bloack them > > > with iptables or somwthing... > > > > > > > > > Im thinking this is probably an old trick so im asking here for pointers > > > and stuff as i parallely STFW for this setup... ne ideas? > > > > > > > > > -- > > > Alex (Lex) Borges > > > Software Engineer > > > Step One Group > > > www.sogrp.com > > > > > > Alex, > > > > It is possible to set up DHCP so that a client always gets the same IP > > address > > by using it's MAC address. If you set up DHCP to only have reserved IP's > > using > > the MAC address and no other IP pool then they can't pick up any other > > address. > > > > Of course, someone can spoof a MAC and they can still set up their system > > with > > a fixed IP but casual users generally don't know how. > > > > It does require that you know their MAC address they can then only use that > > particular NIC unless you make the change. > > > > Man dhcpd.conf for more details. > > > > Many universisties and some ISPs do this. > > > > I don't believe it's possible to have a user log in to get an IP. > > > > Hope this helps. > > > > Kourosh > -- > Alex (Lex) Borges > Software Engineer > Step One Group > www.sogrp.com >
Re: Forced DHCP setup
Mangling arround and all, maybe its good to discuss this idea here... 1.- Suppose i give you a list of mac addresses and the assigned ips they should have 2.- If one makes that assumption, u guys think this would be a good way to go at it (admin wise, mantainership...etc.): a) Make a script that generates dhcpd3.conf b) Make a script that generates iptables commands like: iptables -A input -s $IP_USER -m mac --mac-source $MAC_USER -j accept #all others reject c) Have your squid rules reflect the change: #dont remember, but squid blocks by mac acl accepted_macs $MAC_USER1...$MAC_USER_N acl accepted_ips $IP_USER1.$IP_USER_N http_access allow auth_pam acceed_macs accepted_ips http_access deny Mhm... not shure if squid works that way but u get the idea it looks horrible from the admin POV, maybe u guys can think of a better way... El mié, 30-10-2002 a las 15:39, Alex Borges (lex) escribió: > Hey... I want to tie up users to ip addresses and machines. This way i > can easyly mangle bandwith, squid acls and lots of stuff through my > woody box > > > So im thinking maybe the solution is to force users to obtain ip's from > dhcp and, i users take an ip for which they have no lease, bloack them > with iptables or somwthing... > > > Im thinking this is probably an old trick so im asking here for pointers > and stuff as i parallely STFW for this setup... ne ideas? > > > -- > Alex (Lex) Borges > Software Engineer > Step One Group > www.sogrp.com > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Alex (Lex) Borges Software Engineer Step One Group www.sogrp.com
RE: Forced DHCP setup
Telus' entire ADSL setup across Western Canada requires you to "login" and register your MAC address or you don't get a valid IP... At 01:59 PM 10/30/02, you wrote: > I don't believe it's possible to have a user log in to get an IP. It is possible, in hotels that have broadband in rooms, and on some university campuses I've been too they have a DHCP server setup to serve addresses from a private block. On that network there is a webserver setup to intercept any http request coming from a client in the private block and redirect the user to a page where he/she has to login. On login a cgi (or some such) makes a change in the DHCP database to allocate the user a "real" IP. The user gets instructions on the ensuing webpage to do a release/renew and boom they are setup. Sorry, I don't know of any opensource packages to do this, but it shouldn't be too hard. Of course, unless you setup your routers to block packets based on MAC address this won't prevent someone from "guessing" a valid IP and setting it up static.
RE: Forced DHCP setup
> I don't believe it's possible to have a user log in to get an IP. It is possible, in hotels that have broadband in rooms, and on some university campuses I've been too they have a DHCP server setup to serve addresses from a private block. On that network there is a webserver setup to intercept any http request coming from a client in the private block and redirect the user to a page where he/she has to login. On login a cgi (or some such) makes a change in the DHCP database to allocate the user a "real" IP. The user gets instructions on the ensuing webpage to do a release/renew and boom they are setup. Sorry, I don't know of any opensource packages to do this, but it shouldn't be too hard. Of course, unless you setup your routers to block packets based on MAC address this won't prevent someone from "guessing" a valid IP and setting it up static. -- C. R. Oldham Director of Technology NCA CASI
Re: Forced DHCP setup
On Wed, Oct 30, 2002 at 03:39:01PM -0600, Alex Borges (lex) wrote: > Hey... I want to tie up users to ip addresses and machines. This way i > can easyly mangle bandwith, squid acls and lots of stuff through my > woody box > > > So im thinking maybe the solution is to force users to obtain ip's from > dhcp and, i users take an ip for which they have no lease, bloack them > with iptables or somwthing... > > > Im thinking this is probably an old trick so im asking here for pointers > and stuff as i parallely STFW for this setup... ne ideas? > > > -- > Alex (Lex) Borges > Software Engineer > Step One Group > www.sogrp.com Alex, It is possible to set up DHCP so that a client always gets the same IP address by using it's MAC address. If you set up DHCP to only have reserved IP's using the MAC address and no other IP pool then they can't pick up any other address. Of course, someone can spoof a MAC and they can still set up their system with a fixed IP but casual users generally don't know how. It does require that you know their MAC address they can then only use that particular NIC unless you make the change. Man dhcpd.conf for more details. Many universisties and some ISPs do this. I don't believe it's possible to have a user log in to get an IP. Hope this helps. Kourosh
RE: Forced DHCP setup
NoCatAuth (nocat.net) does exactly this. Although I think NoCat is designed with wireless in mind. Not sure if it works with normal wired network cards, but I can't see any reason why it wouldn't. On Wed, 30 Oct 2002, C. R. Oldham wrote: > > I don't believe it's possible to have a user log in to get an IP. > > It is possible, in hotels that have broadband in rooms, and on some > university campuses I've been too they have a DHCP server setup to serve > addresses from a private block. On that network there is a webserver > setup to intercept any http request coming from a client in the private > block and redirect the user to a page where he/she has to login. On > login a cgi (or some such) makes a change in the DHCP database to > allocate the user a "real" IP. The user gets instructions on the > ensuing webpage to do a release/renew and boom they are setup. > > Sorry, I don't know of any opensource packages to do this, but it > shouldn't be too hard. > > Of course, unless you setup your routers to block packets based on MAC > address this won't prevent someone from "guessing" a valid IP and > setting it up static. > > -- > C. R. Oldham > Director of Technology > NCA CASI > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Forced DHCP setup
Alex, I suppose you could parse your leases file and create your firewalls ruleset from that. I know that it's possible to have DHCP notify a DDNS server to update its records so maybe it would be possible to have the DHCP server update a firewall ruleset on the fly. Of course, that doesn't stop someone from setting their own IP to that of another user. Joe Average Windows user won't know how but it's not very strong security. Other than that, you could try setting up a proxy forwarding requestes to a login page as another poster suggested but that may be _too_ cumbersome for an ISP. Regards, Kourosh On Wed, Oct 30, 2002 at 03:55:45PM -0600, Alex Borges (lex) wrote: > Tx for the fast response:)... > > Now, i know i can assign static ip's through macs and i already have > some ways to collect all macs from everybody, no problem. The thing is, > what if the user changes his ip address? How can i ensure that, if > you dont have a lease in dhcp (if you didnt get it from dhcp) then youre > blocked. > > Im a checking the mans of coursetx a lot ... > > Lex > > El mi?, 30-10-2002 a las 15:57, Kourosh escribi?: > > On Wed, Oct 30, 2002 at 03:39:01PM -0600, Alex Borges (lex) wrote: > > > Hey... I want to tie up users to ip addresses and machines. This way i > > > can easyly mangle bandwith, squid acls and lots of stuff through my > > > woody box > > > > > > > > > So im thinking maybe the solution is to force users to obtain ip's from > > > dhcp and, i users take an ip for which they have no lease, bloack them > > > with iptables or somwthing... > > > > > > > > > Im thinking this is probably an old trick so im asking here for pointers > > > and stuff as i parallely STFW for this setup... ne ideas? > > > > > > > > > -- > > > Alex (Lex) Borges > > > Software Engineer > > > Step One Group > > > www.sogrp.com > > > > > > Alex, > > > > It is possible to set up DHCP so that a client always gets the same IP address > > by using it's MAC address. If you set up DHCP to only have reserved IP's using > > the MAC address and no other IP pool then they can't pick up any other address. > > > > Of course, someone can spoof a MAC and they can still set up their system with > > a fixed IP but casual users generally don't know how. > > > > It does require that you know their MAC address they can then only use that > > particular NIC unless you make the change. > > > > Man dhcpd.conf for more details. > > > > Many universisties and some ISPs do this. > > > > I don't believe it's possible to have a user log in to get an IP. > > > > Hope this helps. > > > > Kourosh > -- > Alex (Lex) Borges > Software Engineer > Step One Group > www.sogrp.com > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Forced DHCP setup
Mangling arround and all, maybe its good to discuss this idea here... 1.- Suppose i give you a list of mac addresses and the assigned ips they should have 2.- If one makes that assumption, u guys think this would be a good way to go at it (admin wise, mantainership...etc.): a) Make a script that generates dhcpd3.conf b) Make a script that generates iptables commands like: iptables -A input -s $IP_USER -m mac --mac-source $MAC_USER -j accept #all others reject c) Have your squid rules reflect the change: #dont remember, but squid blocks by mac acl accepted_macs $MAC_USER1...$MAC_USER_N acl accepted_ips $IP_USER1.$IP_USER_N http_access allow auth_pam acceed_macs accepted_ips http_access deny Mhm... not shure if squid works that way but u get the idea it looks horrible from the admin POV, maybe u guys can think of a better way... El mié, 30-10-2002 a las 15:39, Alex Borges (lex) escribió: > Hey... I want to tie up users to ip addresses and machines. This way i > can easyly mangle bandwith, squid acls and lots of stuff through my > woody box > > > So im thinking maybe the solution is to force users to obtain ip's from > dhcp and, i users take an ip for which they have no lease, bloack them > with iptables or somwthing... > > > Im thinking this is probably an old trick so im asking here for pointers > and stuff as i parallely STFW for this setup... ne ideas? > > > -- > Alex (Lex) Borges > Software Engineer > Step One Group > www.sogrp.com > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Alex (Lex) Borges Software Engineer Step One Group www.sogrp.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Forced DHCP setup
Telus' entire ADSL setup across Western Canada requires you to "login" and register your MAC address or you don't get a valid IP... At 01:59 PM 10/30/02, you wrote: > I don't believe it's possible to have a user log in to get an IP. It is possible, in hotels that have broadband in rooms, and on some university campuses I've been too they have a DHCP server setup to serve addresses from a private block. On that network there is a webserver setup to intercept any http request coming from a client in the private block and redirect the user to a page where he/she has to login. On login a cgi (or some such) makes a change in the DHCP database to allocate the user a "real" IP. The user gets instructions on the ensuing webpage to do a release/renew and boom they are setup. Sorry, I don't know of any opensource packages to do this, but it shouldn't be too hard. Of course, unless you setup your routers to block packets based on MAC address this won't prevent someone from "guessing" a valid IP and setting it up static. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Forced DHCP setup
> I don't believe it's possible to have a user log in to get an IP. It is possible, in hotels that have broadband in rooms, and on some university campuses I've been too they have a DHCP server setup to serve addresses from a private block. On that network there is a webserver setup to intercept any http request coming from a client in the private block and redirect the user to a page where he/she has to login. On login a cgi (or some such) makes a change in the DHCP database to allocate the user a "real" IP. The user gets instructions on the ensuing webpage to do a release/renew and boom they are setup. Sorry, I don't know of any opensource packages to do this, but it shouldn't be too hard. Of course, unless you setup your routers to block packets based on MAC address this won't prevent someone from "guessing" a valid IP and setting it up static. -- C. R. Oldham Director of Technology NCA CASI -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Forced DHCP setup
On Wed, Oct 30, 2002 at 03:39:01PM -0600, Alex Borges (lex) wrote: > Hey... I want to tie up users to ip addresses and machines. This way i > can easyly mangle bandwith, squid acls and lots of stuff through my > woody box > > > So im thinking maybe the solution is to force users to obtain ip's from > dhcp and, i users take an ip for which they have no lease, bloack them > with iptables or somwthing... > > > Im thinking this is probably an old trick so im asking here for pointers > and stuff as i parallely STFW for this setup... ne ideas? > > > -- > Alex (Lex) Borges > Software Engineer > Step One Group > www.sogrp.com Alex, It is possible to set up DHCP so that a client always gets the same IP address by using it's MAC address. If you set up DHCP to only have reserved IP's using the MAC address and no other IP pool then they can't pick up any other address. Of course, someone can spoof a MAC and they can still set up their system with a fixed IP but casual users generally don't know how. It does require that you know their MAC address they can then only use that particular NIC unless you make the change. Man dhcpd.conf for more details. Many universisties and some ISPs do this. I don't believe it's possible to have a user log in to get an IP. Hope this helps. Kourosh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]