LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   How can I authenticate ethernet users before they use network (http://www.linuxquestions.org/questions/linux-security-4/how-can-i-authenticate-ethernet-users-before-they-use-network-845922/)

markotitel 11-22-2010 09:22 PM

How can I authenticate ethernet users before they use network
 
Hello,

is there any solution for authentication of ethernet users.

something similar to daloradius for wifi.

I dont want to use pppoe. is there any way to connect daloradius with dhcp server, so when certain mac address asks for IP first daloradius will look if it is allowed.

Thanks

Noway2 11-23-2010 04:54 AM

I see a lot of suggestions for Squid Proxy as a solution to restrict Internet usage. It sounds like you would rather prevent them from even connecting to your network, in which case you could whitelist your DHCP list, use an ACL on a switch or router if you have one that supports it. Restricting the DHCP could possibly be bypassed by simply setting an IP rather than requesting one be assigned.

nowonmai 11-23-2010 06:42 AM

You could arrange dhcpd to only hand out static leases, and have iptables dynamically allow connections from the allocated IPs and block everything else.
Unfortunately, this would be very time-critical, as the DHCP-ACK packet will contain the source address just handed out.

markotitel 11-23-2010 10:16 PM

Thanks for answers, i already use proxy and static DHCP.

Now I want to setup daloradius for my users, for wireless it is ok , but I dont know how to solve authentication for ethernet users.

JFNash 11-25-2010 10:21 AM

Quote:

Originally Posted by markotitel (Post 4168913)
Thanks for answers, i already use proxy and static DHCP.

Now I want to setup daloradius for my users, for wireless it is ok , but I dont know how to solve authentication for ethernet users.

I use FreeRadius with ChilliSpot and they're fantastic.

markotitel 11-28-2010 08:07 AM

Can you control ethernet users ? Exclude PPP type of connections. I want to control ethernet users by mac addres and if mac is acceptable, than give them IP form dhcp server.

win32sux 11-28-2010 09:22 AM

Have you considered using iptables to allow only specific MACs to use your server? Like (example):
Code:

iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
iptables -A INPUT -m mac --mac-source YY:YY:YY:YY:YY:YY -j ACCEPT
iptables -A INPUT -m mac --mac-source ZZ:ZZ:ZZ:ZZ:ZZ:ZZ -j ACCEPT
iptables -A INPUT -j DROP


markotitel 11-28-2010 10:53 PM

there is no problem to block some mac or some user, but I want to do it with daloradius.

Matir 11-29-2010 09:03 PM

If your hardware supports it, use 802.1x. It's designed for authentication of clients.

markotitel 11-30-2010 03:35 AM

Hello,

I see there is no easy solution, because Windows clients have a problem with this type of auth. Ah, nevermind, al find some other way for eth users.

thnk you

slimm609 11-30-2010 07:14 AM

as matir has said 802.1x is a way to authenticate users. 802.1x was designed to do the same things you are looking for.

markotitel 12-01-2010 01:59 AM

As I sad windows has problems with 802.1x.


All times are GMT -5. The time now is 03:22 PM.