| View previous topic :: View next topic |
| Author |
Message |
jyundt
Forum Newbie
Joined: 15 Dec 2008
Posts: 15
|
 Posted: Mon Dec 15, 2008 5:28 pm Post subject: DHCP - deny unknown clients option |
 |
|
Is there anyway to enable the feature "deny unknown clients" in vyatta? I'm using vyatta 5 beta and my configuration is listed below:
| Code: |
content-inspection {
anti-virus {
action reject
}
ips {
actions {
other alert
priority-1 drop
priority-2 drop
priority-3 drop
}
auto-update {
oink-code [x]
update-hour 19
}
}
traffic-filter {
preset all
}
}
interfaces {
ethernet eth0 {
address dhcp
hw-id 00:0c:29:21:86:0a
}
ethernet eth1 {
address 172.16.0.1/24
hw-id 00:0c:29:21:86:14
vif 0 {
}
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
shared-network-name ETH1_POOL {
authoritative disable
subnet 172.16.0.0/24 {
default-router 172.16.0.1
dns-server 10.0.0.1
start 172.16.0.100 {
stop 172.16.0.200
}
}
}
}
nat {
rule 1 {
outbound-interface eth0
source {
address 172.16.0.0/24
}
type masquerade
}
}
ssh {
allow-root false
}
webproxy {
cache-size 100
listen-address 172.16.0.1 {
}
url-filtering {
squidguard {
auto-update monthly
log all
}
}
}
}
system {
host-name vyatta
login {
user root {
authentication {
encrypted-password [x]
}
}
user vyatta {
authentication {
encrypted-password [x]
}
}
}
package {
auto-sync 1
repository community {
components main
distribution testing
url http://packages.vyatta.com/vyatta
}
}
time-zone "New York"
}
|
I'm currently using FreeBSD 7.0 as a router and have two DHCP scopes. One "authenticated" scope with deny unknown clients enabled (and manual host definitions) and the other "unauthenticated" scope that accepts all DHCP request.
What is the best way to accomplish this with vyatta? Or am I barking up the wrong tree?
-jyundt |
|
| Back to top |
|
 |
kenfelix
Super User
Joined: 11 Mar 2008
Posts: 449
|
| Posted: Wed Dec 17, 2008 10:31 am Post subject: |
|
|
Question
How are you authenicating dhcp clients under FreeBSD? I'm doing something similiar with blinding assigning dhcp address to clients, but we use an Radius server for authenicating client for network access. This is not with vyatta tho.
So client who aren't authenicated are in a quarantine, and can't doing anything that requires remote access. We do have a web-proxy quarantine that would allow them access to http/https services. |
|
| Back to top |
|
|
jyundt
Forum Newbie
Joined: 15 Dec 2008
Posts: 15
|
| Posted: Wed Dec 17, 2008 10:38 am Post subject: |
|
|
Sorry, "authenticate" probably isn't the correct term. In my current setup, I manually add host definitions {via MAC address} to the dhcpd configuration for the 'authenticated' subnet. That subnet also has deny unknown-clients enabled. So, if the MAC address isn't listed, unknown clients get a dhcp lease from the "unauthenticated" subnet which more restrictive permissions (http only and other various firewall rules).
In short, anyone can get a DHCP lease on my network. But, you need to have your MAC address defined in order to get full access.
I would like to do something similar with vyatta but I can't figure out how to use dhcpd settings that aren't pre-defined in vyatta. I really don't want to have to manually edit the perl files either...
-Jacob |
|
| Back to top |
|
|
kenfelix
Super User
Joined: 11 Mar 2008
Posts: 449
|
| Posted: Wed Dec 17, 2008 11:19 am Post subject: |
|
|
Ah now I understand 
So your using the the ISC/dhcpd and allow/deny known clients options?
This is okay for basic security/access, but I'm using the external authenication means, due to any 3rd grade genuis could use any free pcap capture and sniff out any Broadcast traffic and then mimic that mac-address.
With an external 2nd phase authenication, you pretty much take that risk right off the table.
Now, I would think vyatta could easily add this command to their interface. Could you post an snippet of your dhcpd.conf file , on what your currently doing with freebsd? |
|
| Back to top |
|
|
jyundt
Forum Newbie
Joined: 15 Dec 2008
Posts: 15
|
| Posted: Wed Dec 17, 2008 11:37 am Post subject: |
|
|
This is a snippet of my dhcpd.conf
| Code: |
default-lease-time 600;
max-lease-time 600;
authoritative;
ddns-update-style none;
log-facility local7;
shared-network 192{
subnet 192.168.1.0 netmask 255.255.255.0{
default-lease-time 600;
max-lease-time 600;
pool{
range 192.168.1.100 192.168.1.200;
option routers 192.168.1.1;
option domain-name-servers 192.168.1.1;
option domain-name "mydomain.com";
option broadcast-address 192.168.1.255;
option subnet-mask 255.255.255.0;
use-host-decl-names off;
deny unknown clients;
default-lease-time 3600;
max-lease-time 3600;
host client1{
hardware ethernet 00:18:f3:XX:XX:XX;
fixed-address 192.168.1.2;
}
host client2{
hardware ethernet 00:06:5B:XX:XX:XX;
}
}
}
subnet 10.0.0.0 netmask 255.255.255.0{
pool{
allow unknown-clients;
range 10.0.0.3 10.0.0.50;
option routers 10.0.0.1;
option domain-name-servers 10.0.0.1;
option broadcast-address 10.0.0.255;
option subnet-mask 255.255.255.0;
filename "pxelinux.0";
next-server 10.0.0.2;
}
}
} |
I agree about the script-kiddies spoofing a MAC address. I would love to eventually move to RADIUS authentication (especially for wireless access).
Should I submit some sort of feature request for the extra dhcpd options?
Thanks for your help!
-Jacob |
|
| Back to top |
|
|
TristanRhodes
Forum Veteran
Joined: 24 May 2008
Posts: 137
|
| Posted: Thu Dec 18, 2008 8:31 pm Post subject: |
|
|
Jacob,
A system like you are describing is often called NAC (Network Access Control). Basically, you can define requirements for accessing the network. This can be authentication, passing security scans, etc.
The best open-source NAC tool is called PacketFence. You can learn more about it here:
http://www.packetfence.com/english/home.html
I have used it and I highly recommend it, it can save tens of thousands of dollars when compared to closed systems.
Tristan
_________________
Tristan Rhodes
Co-Founder and CTO
Utah OpenTech
www.utahopentech.com |
|
| Back to top |
|
|
jyundt
Forum Newbie
Joined: 15 Dec 2008
Posts: 15
|
| Posted: Mon Dec 22, 2008 3:34 pm Post subject: |
|
|
Tristan-
Thanks for the info. I {briefly} tested PacketFence and it does seem pretty robust. Unfortunately I'm not sure if it will "scale down" to fit my needs. For the time being, denying clients via dhcpd/MAC addresses seems to accomplish what I'm trying to do.
That being said, is there a way I should 'officially' request this feature in vyatta?
Thanks,
Jacob |
|
| Back to top |
|
|
stig
Vyatta Employee
Joined: 21 Feb 2008
Posts: 1282
Location: silicon valley
|
|
| Back to top |
|
|
|
Forum Subscriptions
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
