Re: MAC address registrations

[Gary Flynn <flynngn () JMU EDU>]

Arturo Lev Servin wrote:

> > 1) Client issues DHCP request
> >
> > 2) If client's MAC address is not in the DHCP server table, the
> >    DHCP server furnishes an IP address that is restricted by
> >    router filters and given a DNS server that will resolve all
> >    DNS lookups to a registration web site.
>
>
> So, in the same vlan you have "invalid" and "valid" ip addresses?

Yes.

A new, unregistered MAC address will get an IP address
in the 10 network whose access is restricted to the registration
infrastructure devices. We had to do this instead of assigning
unregistered MAC addresses to a restricted vlan because we don't
have switches pushed all the way out to the endpoints everywhere.

> If so, how do you deny that a user sniff the network and
> asign itself a static IP address of the valid pool?

We don't. The system was not intended to be a security control.
It was intended to be an administrative aid. It can be
circumvented. Monitoring arp caches, registered MACs in the
dhcp tables, and/or switch MAC tables can tell us if it is
being abused.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.