deny unknown users

A.L.M.Buxey at A.L.M.Buxey at
Thu May 14 07:39:58 UTC 2009


> I need to deny unknown users who knows our LAN IP address to login to our
> LAN.. any body have solution for this?

many ways - the best way is 802.1x which involves authentication
against the NAS (switch or wireless AP) via RADIUS - machines
are authenticated via either username/password or certificates
(or both!) - there is support for this in windows (XP, Vista),
MacOSX 10.4 up, and Linux (via extra packages). plenty of
PDA and smartphones do it to.

another alternative is eithe rusing an out-of-band network
control system (usually known as network access control) - this
could be eg using SNMP traps and notifications to set the VLAN
on the port to a register vlan, the users then see a login page
which they must enter details into - after which, upon
successful auth their port has its vlan changed (VMPS can also
be used for this purpose on cisco kit) - or it could be
via a 'bump in the wire' method - a captive portal (just
like many wifi hotspots do - ie although you've got an address,
it wont go anywhere until your system has passed the login

not really DHCP related per se - and those last 2 systems
really rely on MAC address details - which, just like DHCP
being used as 'security', also have their weak spots..pretty
much anyone can change their MAC address - no need for
any real intelligence, theres plenty of available tools,
free and paid for, that can do that for if these
people have worked out the valid addresses they might just
as easily suss that MAC address 00:10:ee:c0:ff:ee works on the
network and change their system accordingly.

good luck!


More information about the dhcp-users mailing list