ipfw plus authentication???

Nikos Vassiliadis nvass at teledomenet.gr
Mon Apr 3 09:47:11 UTC 2006 

On Monday 03 April 2006 10:34, Mark Jayson Alvarez wrote:
> Hi
>
>  I am looking for ways to manage our LAN by having each user register their
> ipaddress, mac address, workstation os, etc. in our ldap directory. Now in
> our pcrouter, the users will first send his login credentials to the
> pcrouter, and then the pcrouter will check against ldap if this login is
> correct, and if it is, then it will now do an ldapsearch/compare operation
> to see if the source address (ip/mac) of the user trying to gain network
> access is indeed belongs to that user. Only then, the ipfw ruleset will be
> changed to allow traffic originating from this source address...
>

Does it have to be LDAP and ipfw?
there is authpf which...

Introduction
Authpf(8) is a user shell for authenticating gateways. An authenticating 
gateway is just like a regular network gateway (a.k.a. a router) except that 
users must first authenticate themselves to the gateway before it will allow 
traffic to pass through it. When a user's shell is set to /usr/sbin/authpf 
(i.e., instead of setting a user's shell to ksh(1), csh(1), etc) and the user 
logs in using SSH, authpf will make the necessary changes to the active pf(4) 
ruleset so that the user's traffic is passed through the filter and/or 
translated using Network Address Translation or redirection. Once the user 
logs out or their session is disconnected, authpf will remove any rules 
loaded for the user and kill any stateful connections the user has open. 
Because of this, the ability of the user to pass traffic through the gateway 
only exists while the user keeps their SSH session open.

From here:
http://www.openbsd.org/faq/pf/authpf.html

Ofcourse this does not cover the IP|MAC address checking you mentioned,
but I don't see how this enhances security. It will be easy for a user to 
change his IP|MAC address.

HTH, Nikos

>  Anyone have gone with this solution before??
>
>  Thanks
>
>
> ---------------------------------
> Blab-away for as little as 1¢/min. Make  PC-to-Phone Calls using Yahoo!
> Messenger with Voice. _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list