LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-02-2005, 01:54 PM   #1
oddo
Member
 
Registered: Sep 2003
Location: Bucharest
Distribution: Slackware *.*
Posts: 34

Rep: Reputation: 15
LAN authentication


I'd like to get some sugestions/solutions to the following problem:

1. Medium /large educational LAN (~1000 likely not to trust workstations )
2. Everybody who is registered should have access to internet, the others should not( they can access the local area network because they have a connected cable n their rooms)
3. At this moment there is some authentication mechanism based on ip/mac matching (iptables), but some useres complains that they see very often a duplicate ip on the network error...so some of them ar trying to pass this filter.( it's very easy to get an valid match from the network, take that host down or wait to be offline...)

I think about transparent proxy, but this isn't a solution for other applications ( like P2P clients).
I think also of some kind ssh-key based authentication to the gateway that if it's succesfull to ad the apropriate iptables rule., or something like this.

So ..does anyone has a suggestion/solution of how it should look this authentication mechamism?

TNX in advance
 
Old 02-03-2005, 07:03 AM   #2
zsoltrenyi
Member
 
Registered: May 2004
Distribution: redhat, trustix, debian
Posts: 103

Rep: Reputation: 15
your users can bypass -m --mac-source matches?
 
Old 02-03-2005, 11:29 AM   #3
oddo
Member
 
Registered: Sep 2003
Location: Bucharest
Distribution: Slackware *.*
Posts: 34

Original Poster
Rep: Reputation: 15
If the pair IP/MAC is not valid they can't. The problem is that a valid pair can be obtained from network( another host) with little effort and this is the way they can pass the filter( wating the legimitate host to shut-down or take it down)
 
Old 02-03-2005, 02:25 PM   #4
fr_laz
Member
 
Registered: Jan 2005
Location: Cork Ireland
Distribution: Debian
Posts: 384

Rep: Reputation: 32
Hi,

I think an answer could be 802.1X, here's the way it works :
You set up a radius server
You enable 802.1X on the interfaces of your switches.

Then, when someone plugs in a 802.1X interface, he is requested for a username password.
If the username/password doesn't match an entry in the radius, the interface stays disabled, if it matches, the interface goes up...

I see 2 problems in your case :
1/ unregistered users won't access local ressources anymore (maybe that's not a problem)
2/ 802.1X enabled switches are quite expensive (cisco boxes or so) and you've got to deploy them everywhere on your network.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Lan Authentication roopunix Linux - Networking 2 08-05-2005 12:07 AM
LAN Authentication ignhie Linux - Networking 3 07-07-2005 03:30 AM
authentication required on smtp on local lan ashfaq Linux - Software 1 02-27-2004 04:56 AM
authentication required on smtp on LAN only. ashfaq Linux - Software 0 02-25-2004 10:54 PM
802.1x authentication over LAN Ben Novack Linux - Wireless Networking 0 02-10-2004 11:18 PM


All times are GMT -5. The time now is 07:16 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration