Re: new to freeradius, securing LAN
On 29/5/09 16:23, pkc_mls wrote: ldap.lippogeneral.com a écrit : But how, if they can manually configure an interface on their PC and completely bypass our DHCP server.. this is typically why you'd like to set up authentication, so the physical access to your switch port is not sufficient to get access to your network. please check if your network devices can do 802.1x, then try the authentication you'd like. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html With switches that support MAC-Based authentication and/or 802.1X authentication, and a port which has MAC/802.1X authentication enabled; when the client physically connects, the port will transition to a 'closed' state. Whilst the port is in a closed state, the switch will drop any packets received on that port, until the switch has authenticated the user against a RADIUS server. If the RADIUS server authorizes the client to connect, the port will 'open' and allow packets to be forwarded. If the RADIUS server does not authorize the user, then the port will remain closed and packets will continue to be dropped. All port based authentication occurs before the client has acquired an IP address. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeradius, securing LAN
ldap.lippogeneral.com a écrit : But how, if they can manually configure an interface on their PC and completely bypass our DHCP server.. this is typically why you'd like to set up authentication, so the physical access to your switch port is not sufficient to get access to your network. please check if your network devices can do 802.1x, then try the authentication you'd like. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeradius, securing LAN
so you meant, it's more better to avoid them physically.. ;<( No, he means you should do proper authentication (username/password, not mac). If your equipment doesn't support 802.1x set up a PPPoE server. Have it do authentication before DHCP hands them an IP. But how, if they can manually configure an interface on their PC and completely bypass our DHCP server.. *** Our outgoing mail has been scanned by MSS. ***-*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeradius, securing LAN
> > so you meant, it's more better to avoid them physically.. ;<( > No, he means you should do proper authentication (username/password, not mac). If your equipment doesn't support 802.1x set up a PPPoE server. Have it do authentication before DHCP hands them an IP. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeradius, securing LAN
so you meant, it's more better to avoid them physically.. ;<( - Original Message - From: "pkc_mls" To: "FreeRadius users mailing list" Sent: Friday, May 29, 2009 2:33 PM Subject: Re: new to freeradius, securing LAN ldap.lippogeneral.com a écrit : Hello All, I am very new to FreeRadius, some of users are already knew our LAN IPs .. so they can manually configure an interface on their PC and completely bypass our DHCP server.. can I solve this by using FreeRadius? I thought this can be done by checking its MAC address, so although they use valid IP address but if their MAC address not recognized by our server then they must be denied and they cannot go anywhere and cannot do anything in our LAN.. I need advise.. Hi, The problem is not really linked with radius, let's try to propose some directions anyway. Most recent switches proposes to do VLAN assignement based on port or MAC address. Check if your switches can do this. Radius can be used to authenticate a device (in your case, a PC) with informations like MAC address or a certificate. So you can also do some mac based authentication, but keep in mind that changing a MAC address is as easy as setting a static LAN IP on a PC, so it's definitely not enough if you wish to avoid what you described above. hope this'll help. many thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users..html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html *** Your mail has been scanned by MSS. ***-*** *** Our outgoing mail has been scanned by MSS. ***-*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeradius, securing LAN
ldap.lippogeneral.com a écrit : Hello All, I am very new to FreeRadius, some of users are already knew our LAN IPs .. so they can manually configure an interface on their PC and completely bypass our DHCP server.. can I solve this by using FreeRadius? I thought this can be done by checking its MAC address, so although they use valid IP address but if their MAC address not recognized by our server then they must be denied and they cannot go anywhere and cannot do anything in our LAN.. I need advise.. Hi, The problem is not really linked with radius, let's try to propose some directions anyway. Most recent switches proposes to do VLAN assignement based on port or MAC address. Check if your switches can do this. Radius can be used to authenticate a device (in your case, a PC) with informations like MAC address or a certificate. So you can also do some mac based authentication, but keep in mind that changing a MAC address is as easy as setting a static LAN IP on a PC, so it's definitely not enough if you wish to avoid what you described above. hope this'll help. many thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
new to freeradius, securing LAN
Hello All, I am very new to FreeRadius, some of users are already knew our LAN IPs ... so they can manually configure an interface on their PC and completely bypass our DHCP server.. can I solve this by using FreeRadius? I thought this can be done by checking its MAC address, so although they use valid IP address but if their MAC address not recognized by our server then they must be denied and they cannot go anywhere and cannot do anything in our LAN.. I need advise.. many thanks in advance *** Our outgoing mail has been scanned by MSS. ***-*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html