Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 02-02-2005, 01:54 PM   #1
Registered: Sep 2003
Location: Bucharest
Distribution: Slackware *.*
Posts: 36

Rep: Reputation: 15
LAN authentication

I'd like to get some sugestions/solutions to the following problem:

1. Medium /large educational LAN (~1000 likely not to trust workstations )
2. Everybody who is registered should have access to internet, the others should not( they can access the local area network because they have a connected cable n their rooms)
3. At this moment there is some authentication mechanism based on ip/mac matching (iptables), but some useres complains that they see very often a duplicate ip on the network some of them ar trying to pass this filter.( it's very easy to get an valid match from the network, take that host down or wait to be offline...)

I think about transparent proxy, but this isn't a solution for other applications ( like P2P clients).
I think also of some kind ssh-key based authentication to the gateway that if it's succesfull to ad the apropriate iptables rule., or something like this.

So ..does anyone has a suggestion/solution of how it should look this authentication mechamism?

TNX in advance
Old 02-03-2005, 07:03 AM   #2
Registered: May 2004
Distribution: redhat, trustix, debian
Posts: 103

Rep: Reputation: 15
your users can bypass -m --mac-source matches?
Old 02-03-2005, 11:29 AM   #3
Registered: Sep 2003
Location: Bucharest
Distribution: Slackware *.*
Posts: 36

Original Poster
Rep: Reputation: 15
If the pair IP/MAC is not valid they can't. The problem is that a valid pair can be obtained from network( another host) with little effort and this is the way they can pass the filter( wating the legimitate host to shut-down or take it down)
Old 02-03-2005, 02:25 PM   #4
Registered: Jan 2005
Location: Cork Ireland
Distribution: Debian
Posts: 384

Rep: Reputation: 32

I think an answer could be 802.1X, here's the way it works :
You set up a radius server
You enable 802.1X on the interfaces of your switches.

Then, when someone plugs in a 802.1X interface, he is requested for a username password.
If the username/password doesn't match an entry in the radius, the interface stays disabled, if it matches, the interface goes up...

I see 2 problems in your case :
1/ unregistered users won't access local ressources anymore (maybe that's not a problem)
2/ 802.1X enabled switches are quite expensive (cisco boxes or so) and you've got to deploy them everywhere on your network.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Lan Authentication roopunix Linux - Networking 2 08-05-2005 12:07 AM
LAN Authentication ignhie Linux - Networking 3 07-07-2005 03:30 AM
authentication required on smtp on local lan ashfaq Linux - Software 1 02-27-2004 04:56 AM
authentication required on smtp on LAN only. ashfaq Linux - Software 0 02-25-2004 10:54 PM
802.1x authentication over LAN Ben Novack Linux - Wireless Networking 0 02-10-2004 11:18 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:08 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration