How can I authenticate ethernet users before they use network

markotitel · 11-22-2010, 08:22 PM

Hello,

is there any solution for authentication of ethernet users.

something similar to daloradius for wifi.

I dont want to use pppoe. is there any way to connect daloradius with dhcp server, so when certain mac address asks for IP first daloradius will look if it is allowed.

Thanks

Noway2 · 11-23-2010, 03:54 AM

I see a lot of suggestions for Squid Proxy as a solution to restrict Internet usage. It sounds like you would rather prevent them from even connecting to your network, in which case you could whitelist your DHCP list, use an ACL on a switch or router if you have one that supports it. Restricting the DHCP could possibly be bypassed by simply setting an IP rather than requesting one be assigned.

nowonmai · 11-23-2010, 05:42 AM

You could arrange dhcpd to only hand out static leases, and have iptables dynamically allow connections from the allocated IPs and block everything else.
Unfortunately, this would be very time-critical, as the DHCP-ACK packet will contain the source address just handed out.

markotitel · 11-23-2010, 09:16 PM

Thanks for answers, i already use proxy and static DHCP.

Now I want to setup daloradius for my users, for wireless it is ok , but I dont know how to solve authentication for ethernet users.

JFNash · 11-25-2010, 09:21 AM

Quote:

Originally Posted by markotitel

Thanks for answers, i already use proxy and static DHCP.

Now I want to setup daloradius for my users, for wireless it is ok , but I dont know how to solve authentication for ethernet users.

I use FreeRadius with ChilliSpot and they're fantastic.

markotitel · 11-28-2010, 07:07 AM

Can you control ethernet users ? Exclude PPP type of connections. I want to control ethernet users by mac addres and if mac is acceptable, than give them IP form dhcp server.

win32sux · 11-28-2010, 08:22 AM

Have you considered using iptables to allow only specific MACs to use your server? Like (example):

Code:

iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
iptables -A INPUT -m mac --mac-source YY:YY:YY:YY:YY:YY -j ACCEPT
iptables -A INPUT -m mac --mac-source ZZ:ZZ:ZZ:ZZ:ZZ:ZZ -j ACCEPT
iptables -A INPUT -j DROP

markotitel · 11-28-2010, 09:53 PM

there is no problem to block some mac or some user, but I want to do it with daloradius.

Matir · 11-29-2010, 08:03 PM

If your hardware supports it, use 802.1x. It's designed for authentication of clients.

markotitel · 11-30-2010, 02:35 AM

Hello,

I see there is no easy solution, because Windows clients have a problem with this type of auth. Ah, nevermind, al find some other way for eth users.

thnk you

slimm609 · 11-30-2010, 06:14 AM

as matir has said 802.1x is a way to authenticate users. 802.1x was designed to do the same things you are looking for.

markotitel · 12-01-2010, 12:59 AM

As I sad windows has problems with 802.1x.