information about authentication with DHCP server

Chris Cox chris_cox at stercomm.com
Tue Jun 10 15:05:53 UTC 2008


On Wed, 2008-06-11 at 00:30 +1000, Glenn Satchell wrote:
> Using MAC address filters for Wireless Access Points is, IMHO, a
> complete waste of time. It is trivial to snoop for wireless packets and
> grab a MAC address that works from an existing client. But that's
> pretty much outside the scope of discussion on thislist.

While true, MAC filtering is a valid security tool.
The only way to be absolutely secure is to disable the
wireless.... cut the wire.... etc.

So I don't think it's "outside" of what this list is about.  Discussion
of security issues around dhcp and some of the supporting technologies
that might be sitting on top of dhcp.... all of it matters.  It's
too hard to be narrowly focused on just one element anymore.

I think MAC registration on a network (be it via DHCP or beyond)
is a good idea in general.  But, as with everything, due to
scalability or whatever, each site has to determine what
elements in their security arsenals they need to deploy...
but even so, it's all pretty fragile.

> 
> regards,
> -glenn
> 
> >From: "Barr Hibbs" <rbhibbs at pacbell.net>
> >To: <dhcp-users at isc.org>
> >Subject: RE: information about authentication with DHCP server
> >Date: Mon, 9 Jun 2008 17:02:35 -0700
> >
> >Werner--
> >
> >as far as I know, there are NO implementations of DHCP Authentication,
> >despite it being defined with a relatively mature RFC (in the sense that
> >after an initial flurry of discussion, there were no updates offered,
> >suggesting that (1) the RFC was solid as written, or (2) no one cared about
> >implementations.  As with any authentication system, the principle problem
> >is key distribution, and no scalable method was ever offered to support
> >client Authentication.
> >
> >Many organizations authenticate *USERS* through RADIUS, which is
> >significantly easier to scale, while some substitute Wireless Access Point
> >and Router client MAC address filters for *CLIENT* authentication.  The
> >former is an established, mature protocol for user authentication and has
> >many implementations and management tools.  Managing client MAC address
> >filters for Wireless Access Points and Routers has an even worse scalability
> >problem than simple key distribution to a client, although I have heard
> >admins boast (or complain?) that they were using it in their networks.
> >
> >I am curious what you learn in your investigations.
> >
> >--Barr
> >
> >  -----Original Message-----
> >  From: dhcp-users-bounce at isc.org [mailto:dhcp-users-bounce at isc.org]On
> >Behalf Of Werner Otto
> >  Sent: Sunday, June 08, 2008 00:59
> >  To: dhcp-users at isc.org
> >  Subject: Re: information about authentification with DHCP server
> >
> >
> >  have you managed to get an answer to your question. I've been trying to do
> >something similar, there are an number of ways to approach the problem.
> >
> >
> >  2008/4/18 hermann renombapropre <renombahermann at yahoo.fr>:
> >
> >    dear all
> >
> >    I am a student and would like to know if it is possible to make a dhcp
> >client authentication before the allocation of IP addresses. If possible can
> >use you tell me how to do it
> >
> >    sincerly.
> >
> >
> >    __________________________________________________
> >    Do You Yahoo!?
> >    En finir avec le spam? Yahoo! Mail vous offre la meilleure protection
> >possible contre les messages non sollicités
> >    http://mail.yahoo.fr Yahoo! Mail
> >
> >
> >
> >  --
> >  Kind Regards
> >  Werner Otto
> >  +44 782 846 5076 (M)
> >  +44 203 132 4368 (H)
> 
> 


More information about the dhcp-users mailing list