Authentication the user first 1

[BeatrixKiddo]

Hello, I'm looking for a DHCP solution (closed or open source) that would allow me to validate the user against some ldap before give them a valid ip address. What would you recomendme?

 

[Shad007]

I think the problem here is that they would need a valid ip address prior to authenticating against an ldap server. DHCP works at the hardware level not the user level. In what scenario would you be using this?

 

[Geates]

I'm familiar with Network/Client Server concepts on a basic level. However, I think what BeatrixKiddo is trying to say is a user should be given a private IP address - but until he autheticates with ldap, his port will not be open to the public interface (internet).

It seems like a simple request, but like I said, my related knowledge is basic.

-Geates

 

[Noway2]

If this is what they are really after, then it sounds like a proxy server is what is needed. That way, the user can be validated before they can have access.

My first, and second, thought after reading the post was to suggest looking into Kerberos, which I understand is used to authenticate users.

 

[BeatrixKiddo]

Hello, I'm more interested on controlling the LAN than the Internet; because right now any person, whith any laptop can get a LAN ip address from an active port and get access on the TCP/IP level. Need to implement a mechanism that could stop a not authorized user to get connectivity.

 

[Geates]

The issue is that users must - I believe - recieve TCP/IP layer protocol before any authentication can begin. The method is called Network Access Control and (from what I hear) it is quite expensive. The idea behind it is ALL IP ports are closed until the user of those IPs authenticates with LDAP. The port is then opened. Bare in mind, NAC operates on ALL layers of OSI.

-Geates

 

[Shad007]

if you are introducing authorisation at that level then why don't you just turn off your dhcp server and allocate IP's statically?

 

[BeatrixKiddo]

Because there are more than a thousand of users

 

[Shad007]

interesting problem i have to admit. I wonder if you could make it work using something along the lines of a firewall vpn pool..ie using vpn to connect each of the clients to a firewall which then allocates an IP via dhcp..a further rule allows access for that pool only to the network resources (ie lan). You could manage the users via an ldap interface on the firewall?

not sure if it's possible but trying to add ideas.

 

[Noway2]

Just a thought, but what about looking at the problem from the other end. Could you work something out with the DNS server to compare the host name against a known database.

Also, not sure if it is applicable to your application, but I believe Samba has various levels of authentication and access control.

 

[FaiTHLeSS]

If you have managed switches why dont you look at port authenication(802.1x) instead?

Or use mac based filtering on your switches.

These 2 options are assuming you have managed switches in place.

 

[brokenhalo]

You could also implement different firewall strategies. With almost all modern firewall solutions (I use SonicWall) you can create a DMZ (demilitarized zone) which is a completely seperate LAN segment in itself that has no physical access to the rest of the network. Once a person recieves an IP address and is in the DMZ, they would then need to authenticate in order to gain access to the rest of the network. I haven't actually used this on my Sonicwall, but I do believe ISA server allows authentication with LDAP.

Brad L.
Systems Engineer
Prestige Technologies
bradlaszlo[at]prestigetech.com

http://www.prestigetech.com

"Some things Man was never meant to know. For everything else, there's Google.

 

[BeatrixKiddo]

Thanks!