DHCP Authentication howto ?
Tim Peiffer
peiffer at umn.edu
Tue Sep 4 01:16:03 UTC 2007
I would agree that 802.1x is a layer1 issue. Once you add a person to
the lan past layer1, then authentication is difficult... That is why we
manage authentication outboard of the dhcp server. It is just so easy
to forge a MAC address, and just as easy to poke your own IP onto the
subnet, that the MAC address security is really not security at all.
Now what do you mean by authentication? And would you authenticate a
user based upon the MAC address credential, or do you just want to
signal that the MAC is a known device?
We quarantine users with rfc1918 space and very short leases, provide
web page redirect to a registration server, and enforce the use of DHCP
via dhcp snooping. Once the user is authenticated, the MAC address is
poked into a database that is used to generate 'blessed' devices. The
only thing we haven't figured out is when someone forges another MAC
(blows a bit, or gets a duplicate from a NIC manufacturing run) and gets
a DHCP address on another network.
The point is, you aren't authenticating anything. If one were to drop
the term 'authenticating' and then permit service to 'known clients' for
any given business reason, that is different.
Now if you want to create a group of 'blessed' devices, please look at
the dhcpd.conf man mage under pools It gives you an example of how to
create pool with different addressing or just deny. The only other
thing you need to do is collect MAC addresses and submit them using the
'host' definition. We have been doing this for years and only had
issues with the maintenance of the 'authorized MAC' list, how fast
moves, adds and changes are inserted or deleted from the list.
Ultimately we spent more time stopping and loading dhcpd to give fast
service that this method became one of diminishing returns
Tim Peiffer
Network Support Engineer
Networking and Telecommunications Services
University of Minnesota/Northern Lights GigaPOP
host 0000aa59babb {
hardware ethernet 00:00:AA:59:BA:BB;
}
man dhcpd.conf:
> subnet 10.0.0.0 netmask 255.255.255.0 {
> option routers 10.0.0.254;
>
> # Unknown clients get this pool.
> pool {
> option domain-name-servers bogus.example.com;
> max-lease-time 300;
> range 10.0.0.200 10.0.0.253;
> allow unknown-clients;
> }
>
> # Known clients get this pool.
> pool {
> option domain-name-servers ns1.example.com, ns2.example.com;
> max-lease-time 28800;
> range 10.0.0.5 10.0.0.199;
> deny unknown-clients;
> }
> }
host 0000aa59babb {
hardware ethernet 00:00:AA:59:BA:BB;
}
ip guy wrote:
> 802.1x would be a layer 1 issue, managing a school on a University
> campus, that simply isn't an option at this point.
>
>
>
>
>
> On 8/31/07, *Tim Peiffer * <peiffer at umn.edu <mailto:peiffer at umn.edu>>
> wrote:
>
> ip guy wrote:
> > Hi all
> >
> > Can anyone point me to a DHCP Authentication howto ?
> > Were running ICS DHCP allocating IP's to windows hosts so am
> hopeing it's
> > possible to do what i'm after
> >
> > regards
> >
> >
> Just say no. Neither an IP address nor a MAC address are a
> credential,
> so no there isn't a way to authenticate with DHCP.
>
> Leave the job of providing IP addresses to DHCP, leave
> authentication to
> things like radius. Leave network admission control to 802.1x.
>
>
> Regards,
> Tim Peiffer
> Network Support Engineer
> Networking and Telecommunications Services
> University of Minnesota/Northern Lights GigaPOP
>
>
>
More information about the dhcp-users
mailing list