DHCP Authentication howto ?

Tue Sep 4 01:16:03 UTC 2007

I would agree that 802.1x is a layer1 issue.  Once you add a person to 
the lan past layer1, then authentication is difficult... That is why we 
manage authentication outboard of the dhcp server.  It is just so easy 
to forge a MAC address, and just as easy to poke your own IP onto the 
subnet, that the MAC address security is really not security at all.  
Now what do you mean by authentication?  And would you authenticate a 
user based upon the MAC address credential, or do you just want to 
signal that the MAC is a known device?

We quarantine users with rfc1918 space and very short leases, provide 
web page redirect to a registration server, and enforce the use of DHCP 
via dhcp snooping.  Once the user is authenticated, the MAC address is 
poked into a database that is used to generate 'blessed' devices.  The 
only thing we haven't figured out is when someone forges another MAC 
(blows a bit, or gets a duplicate from a NIC manufacturing run) and gets 
a DHCP address on another network.

The point is, you aren't authenticating anything.  If one were to drop 
the term 'authenticating' and then permit service to 'known clients' for 
any given business reason, that is different.

Now if you want to create a group of 'blessed' devices, please look at 
the dhcpd.conf man mage under pools  It gives you an example of how to 
create pool with different addressing or just deny.  The only other 
thing you need to do is collect MAC addresses and submit them using the 
'host' definition.  We have been doing this for years and only had 
issues with the maintenance of the 'authorized MAC' list, how fast 
moves, adds and changes are inserted or deleted from the list.  
Ultimately we spent more time stopping and loading dhcpd to give fast 
service that this method became one of diminishing returns

Tim Peiffer
Network Support Engineer
Networking and Telecommunications Services
University of Minnesota/Northern Lights GigaPOP

host 0000aa59babb {
    hardware ethernet 00:00:AA:59:BA:BB;
}
man dhcpd.conf:
>       subnet 10.0.0.0 netmask 255.255.255.0 {
>          option routers 10.0.0.254;
>
>          # Unknown clients get this pool.
>          pool {
>            option domain-name-servers bogus.example.com;
>            max-lease-time 300;
>            range 10.0.0.200 10.0.0.253;
>            allow unknown-clients;
>          }
>
>          # Known clients get this pool.
>          pool {
>            option domain-name-servers ns1.example.com, ns2.example.com;
>            max-lease-time 28800;
>            range 10.0.0.5 10.0.0.199;
>            deny unknown-clients;
>          }
>        }

host 0000aa59babb {
    hardware ethernet 00:00:AA:59:BA:BB;
}

ip guy wrote:
> 802.1x would be a layer 1 issue, managing a school on a University 
> campus, that simply isn't an option at this point.
>
>
>
>
>
> On 8/31/07, *Tim Peiffer * <peiffer at umn.edu <mailto:peiffer at umn.edu>> 
> wrote:
>
>     ip guy wrote:
>     > Hi all
>     >
>     > Can anyone point me to a DHCP Authentication howto ?
>     > Were running ICS DHCP allocating IP's to windows hosts so am
>     hopeing it's
>     > possible to do what i'm after
>     >
>     > regards
>     >
>     >
>     Just say no.  Neither an IP address nor a MAC address are a
>     credential,
>     so no there isn't a way to authenticate with DHCP.
>
>     Leave the job of providing IP addresses to DHCP, leave
>     authentication to
>     things like radius.  Leave network admission control to 802.1x.
>
>
>     Regards,
>     Tim Peiffer
>     Network Support Engineer
>     Networking and Telecommunications Services
>     University of Minnesota/Northern Lights GigaPOP
>
>
>