Educause Security Discussion mailing list archives
Re: MAC address registrations
From: Gary Flynn <flynngn () JMU EDU>
Date: Mon, 21 Apr 2003 17:30:37 -0400
Arturo Lev Servin wrote:
1) Client issues DHCP request 2) If client's MAC address is not in the DHCP server table, the DHCP server furnishes an IP address that is restricted by router filters and given a DNS server that will resolve all DNS lookups to a registration web site.So, in the same vlan you have "invalid" and "valid" ip addresses?
Yes. A new, unregistered MAC address will get an IP address in the 10 network whose access is restricted to the registration infrastructure devices. We had to do this instead of assigning unregistered MAC addresses to a restricted vlan because we don't have switches pushed all the way out to the endpoints everywhere.
If so, how do you deny that a user sniff the network and asign itself a static IP address of the valid pool?
We don't. The system was not intended to be a security control. It was intended to be an administrative aid. It can be circumvented. Monitoring arp caches, registered MACs in the dhcp tables, and/or switch MAC tables can tell us if it is being abused. -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- MAC address registrations Kevin Shalla (Apr 21)
- <Possible follow-ups>
- Re: MAC address registrations Gary Flynn (Apr 21)
- Re: MAC address registrations Arturo Lev Servin (Apr 21)
- Re: MAC address registrations Mark Poepping (Apr 21)
- Re: MAC address registrations Gary Flynn (Apr 21)