[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Follow arp table for captive portal

Cisco switches has a feature where it can enforce the use of DHCP assigned IP. (Prevent IP spoofing)
http://en.wikipedia.org/wiki/DHCP_snooping

With this in place it becomes a matter of logging DHCP assignments, or fixing IP to MAC assignments.

Much less hassle for your users, than having to log into a captive portal every time.
If they really wanted to they could even spoof IP and MAC, of someone who has already authenticated earlier.



On 17 May 2013 01:28, Ryan Hiebert <ryan@ryanhiebert.com> wrote:
I'm trying to create a captive portal that doesn't deal with dns or
dhcp, just routing, but can give me accurate logs of who had what IP
address, and what mac address was associated at any one given time.

My captive portal is only for people that are included in my
organization, so it is for the purpose of identification rather than
policy enforcement or payment.

My plan was to:
1. Register mac addresses to users
2. Redirect users to the captive portal based on the MAC address.
3. Auto-log MAC addresses to IP addresses for back-tracking things
like DMCA notices, etc.

If you've got ideas for number 2, I'd be interested to hear them, but
I've not done my research on that yet, so I might yet be able to
figure that out by myself.

What I'm hoping for guidance on is #3. This is a router, and I'm not
trying to know about every private IP that happens on the network,
only stuff that gets routed. The thought that occurred to me was
following the ARP table updates. Nothing can be routed without getting
in the arp table (I think that's a valid assumption), so if I can be
notified of changes to the ARP table as they happen, with some
assurance that I won't miss something, then I can rely on that.

A google search suggested 2 options:

1. arpwatch or similar. Uses tcpdump to filter to arp packets. The
problem with this is that it will have a bunch of useless arp packets
that have nothing to do with routing, since it will see all arp
traffic.
2. rtnetlink. This looked like a good option, as it can look at the
arp table itself. I can query it, I can add to it, but AFAICT, I can't
register a connection and get notifications, I'd have to poll the
interface, which is defeating the purpose. If I wanted to poll, I'd
use and parse the arp command.

I also thought of a 3, but I'm not sure if its reasonable or possible:
3. Get iptables or similar to log unknown mac/ip pairs that it sees.

If nobody has suggestions, or this isn't the right place to ask about
this, maybe you could point me to a better place, as I've not been
able to think of a better one.

Thanks for any help you can give,

Ryan Hiebert


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] CABpHFHTV3YVW++eKxveiAKLmTZMJtEBz9BKf=ROWaPFK1PX-Og@mail.gmail.com" target="_blank">http://lists.debian.org/[🔎] CABpHFHTV3YVW++eKxveiAKLmTZMJtEBz9BKf=ROWaPFK1PX-Og@mail.gmail.com


Reply to: