[ale] Authentication for network access

Jonathan Rickman jonathan at xcorps.net
Wed Nov 29 13:35:20 EST 2000


On Wed, 29 Nov 2000, Dan Newcombe wrote:

> 
> Here is one I'm stumped on. 
> 
> Is it possible to somehow have a person/machine authenticate itself before
> gaining network access?
> 
> The options I've gone through in my mind:
> 	DHCP - you can limit what NIC's can get an IP, however, that
> 		requires magical knowledge of the NIC's before hand.  With
> 		4500 student notebooks, that is a lot of magic, but
> 		possibly not a bad price to pay for network access.
> 
> 	PPPoE - thanks to peoples DSL trouble, I learned about this.
> 		While it sounds like PPP over an Ethernet wire, I am
> 		unsure what effect this would have on someone connecting
> 		to other networks - do drivers need to be loaded on a 9x 
> 		machine to use this?  Is there support for Mac's and
> 		NT/2000?  
> 
> Are there any other options?  One off-the-wall idea I had was some scheme
> where they would get an IP, but only be able to get to one location - a
> web server on which they would have to authenticate themselves, which
> would then adjust some routing tables to allow that IP address to have
> full access, but that just seems a bit iffy to me.
> 
> Ideas?  Preferably ones that I can somehow tie back to a Linux login
> server for authentication (RADIUS/LDAP/pam_*)

Depending on the type of services they will be using, you could set up 2
subnets. One for the clients, one for the services. Put a proxy in between
them and require authentication at the proxy. Or even use VPN within the
LAN to accomplish the same thing. This way, they only have access to other
clients untill they authenticate.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 6.5.2

mQENAzm0QZQAAAEIAN3uNRQlWHMrHwKgTNzpYps6SLipfNvH+0uZi0TvxyXFHiiH
kivQYxlcPn/4Za4eyl5XZvP6lGQ3DXcCzT+9di75HqFtTiHeE9YScR0WEeBB1ywL
j8nKxFdGMCJ3a3khSafPvyTUQKGaEWQGnui+6UieWeBhDHdE/o21qNd0+6M49P73
0pVTdmdn1jPj1cU+vrqkNWMfNNNhLyPjrdPzoL6SoYzCs6p5YhLWaNOiet/91RhK
VpC8uy2cUIWNOAyAOtDJwF4GY+AIVP2WTLg6L/FByDH507HP4NvkbnwPAkDSTh7M
TlXvdoeNiaEUCYCgx8CFSCAg/pl819+gts810D8ABRG0JkpvbmF0aGFuIFJpY2tt
YW4gPGpvbmF0aGFuQHhjb3Jwcy5uZXQ+iQEVAwUQObRBlNffoLbPNdA/AQETwwf/
d4W131UXeWd1+hcCR1bkFJRx+08fNtHzbMzjqquA4IRPftt72M6RzDsRn1xpsdh+
RqP0oeZ0IfnByhXQ7x65JxRUaYW2mw8GNQOeTkJ2uNDg3SaFG2HGYxASohP2r8D6
Yh1WIfEgf3YDwoKyGAfJTgcfHZe85+hgg6R60KbGMAhWf5Tbb6IEpzdvBi/HoYHC
c1km8esjnMPDmR1aLjcRffaMmWGwXk/33oZRo3Q0SO/MvqWyo1kZnq2JIxX0MDAm
nm2p0cZtQc1sECkC1XyyyH8tgWhXwzYpucpsQ3IhWFrCuL7y4t/wREOgd4KaSxkN
OKraa8g7Nyh4s8rSHFvq5A==
=XYFV
-----END PGP PUBLIC KEY BLOCK-----

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list