DHCP with RADIUS MAC Authentication
Randall C Grimshaw
rgrimsha at syr.edu
Mon Nov 30 18:31:25 UTC 2009
>The security is not so important for us with the DHCP, because the
>technologies behind are especially 5ghz Alvarion Wireless, which is yet
>secured (SSID, WPA encryption, proprietary wireless protocol...).
If these protocols are using supplicants to an managed authentication backend... if the authentication came from radius, there will be a radius accounting log being returned to your radius server from the access controller. There is very useful data in radius accounting logs.
Randy
-----Original Message-----
From: dhcp-users-bounces at lists.isc.org [mailto:dhcp-users-bounces at lists.isc.org] On Behalf Of Julien TURELLO
Sent: Monday, November 30, 2009 11:18 AM
To: 'Users of ISC DHCP'
Subject: RE: DHCP with RADIUS MAC Authentication
Thank you for your responses.
I know MAC addresses can easily be spoofed, but the goal is especially to
have a uniform platform, technology independent, for authentication and
accounting.
Now we have customers connected on many technologies, authenticating and
accounting on one RADIUS server, and we don't want to complicate this
architecture again...
The security is not so important for us with the DHCP, because the
technologies behind are especially 5ghz Alvarion Wireless, which is yet
secured (SSID, WPA encryption, proprietary wireless protocol...).
Many of our IT is based on our RADIUS server (billing, automatically
add/delete or enable/disable users, volume using statistics, etc.), so It
would save us a lot of time using the same architecture... And another
important thing is the capability to keep a trace IP Adresses for possible
Police needs (very often!).
I've got Cisco routers and Mikrotik routers which can do that, but I don't
know how to manage Shared Network in the Cisco DHCP server, and in the
Mikrotik one there is no RADIUS accounting, just authentication...
I know that some linux/unix commercial appliance can do DHCP with RADIUS MAC
authentication, so maybe a radius client compatible with ISC dhcp exists?
Julien TURELLO
Numeo
Tèl: 06.68.60.30.32
-----Message d'origine-----
De : dhcp-users-bounces at lists.isc.org
[mailto:dhcp-users-bounces at lists.isc.org] De la part de John Hascall
Envoyé : vendredi 27 novembre 2009 20:39
À : Users of ISC DHCP
Objet : Re: DHCP with RADIUS MAC Authentication
| We are an ISP providing access on many technologies (WiFi, Wimax, xDSL,
| FTTH...).
|
| In most cases we use PPPoE servers, but we have recently migrated some of
| our networks on an ISC DHCP server.
|
| Everything works great but I have to authenticate each CPE by MAC Address
(I
| alreadyhave a RADIUS server working well) before offering a lease.
|
| I don't find any radius client for RedHat, CentOs or Fedora which could be
| able to do that...
|
| Is there any way to make this working?
| Julien TURELLO
> DHCP is not an authentication mechanism, as the MAC address can easily be
> spoofed. But if you're looking to hand out addresses to just those with
> certain MAC addresses (as presented, unverified, to your DHCP server), you
> can use no "host" statements along with a "deny unknown".
> Frank
I believe the OP is asking about something like this:
http://tools.ietf.org/html/draft-pruss-dhcp-auth-dsl-00
http://tools.ietf.org/html/draft-pruss-dhcp-auth-dsl-01
http://tools.ietf.org/html/draft-pruss-dhcp-auth-dsl-02
http://tools.ietf.org/html/draft-pruss-dhcp-auth-dsl-03
http://tools.ietf.org/html/draft-pruss-dhcp-auth-dsl-04
http://tools.ietf.org/html/draft-pruss-dhcp-auth-dsl-05
http://tools.ietf.org/html/draft-pruss-dhcp-auth-dsl-06
(the last one is the latest version)
but I have no idea what its current status is, and it certainly
isn't in any ISC DHCPD that I'm aware of.
John
----------------------------------------------------------------------------
---
John Hascall, john at iastate.edu
Team Lead, NIADS (Network Infrastructure, Authentication & Directory
Services)
IT Services, The Iowa State University of Science and Technology
_______________________________________________
dhcp-users mailing list
dhcp-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
_______________________________________________
dhcp-users mailing list
dhcp-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
More information about the dhcp-users
mailing list