From: Peter Valian (valianp@southwestern.edu)
Date: Tue Apr 17 2001 - 00:17:08 CDT
Nick,
If you want strict IP-per-port, you need a hardware solution as Todd
suggests. I think an SNMP solution may be possible but very messy. you
would need to query your switch or hub pretty often to see if the MAC
address on the port changes. Most likely if the hub or switch keeps
track of this there would be an option to prevent Source Address Changes
(sometime the vendor calls it "Port Security").
And yes, Steve is right...this is beyond what NetReg was designed for
(though I love how some have expanded on it!). NetReg was not designed
to handle user/hardware privileges...just to tie the username to a MAC.
Steve: if NetReg could talk to the router, what would they talk about?
If anyone out there has some *spare time* and would like to help me out,
take a look into OMAPI...it's a communication API to talk directly to
the DHCP server without having to restart it when you make a change to
the conf...I believe it writes commands to the leases file which the
server reads constantly....I don't know what happens when you restart
the server or you lose the leases file.
-peter
Steve Hideg wrote:
>
> Well, as Peter has said (to me, at least), netreg is not a security
> system. It depends on client machines cooperating by using DHCP.
>
> I don't know much about snmp, but I would imagine it also requires a
> degree of cooperation from the clients (Install some sort of agent on
> the client? I invite someone more knowledgeable comment on this).
>
> The only thing you can do to enforce compliance is to block all
> non-registered IP addresses with your network router(s). You'd have
> to get netreg to programmatically communicate with the router(s) to
> enable addresses as they get registered. (I've been wanting to look
> into possible netreg-CISCO router communication, but I ran out of
> those "round-to-it" thingies :-/ ).
>
> That's as far as my thinking takes me.
>
> Steve
>
> At 10:48 PM -0500 4/16/01, Nick Ciesinski wrote:
> >We have it set up right now that some of our buildings have just enough IP's
> >to cover each port, but not any more then that. The problem is that some
> >students are bringing more then one PC to school with them (if not 3!). We
> >want to have it so a student can not have a 2nd PC in the room to help
> >reduce the possibility of exhausting the available IP's in a subnet. Does
> >anyone know a way that this can be done?? I know I can only let a user
> >register once, but what's to stop the user from walking down that hall and
> >asking someone without a computer for them to register the machine for them.
> >I am looking for a way that the user can not bypass the restriction. I was
> >thinking something with SNMP but couldn't think of anything that may work.
> >I figured I would ask you to see if anyone else has any ideas.
> >
> >Thanks,
> >
> >Nick Ciesinski
> >University Wisconsin Whitewater
> >Residence Life Computing
> >
> >**********************************************************************
> >To unsubscribe from this list, send an e-mail message to
> >majordomo@southwestern.edu containing a single line with the words:
> >unsubscribe netreg
> >Send requests for assistance to: owner-netreg@southwestern.edu
> >**********************************************************************
>
> **********************************************************************
> To unsubscribe from this list, send an e-mail message to
> majordomo@southwestern.edu containing a single line with the words:
> unsubscribe netreg
> Send requests for assistance to: owner-netreg@southwestern.edu
> **********************************************************************
-- Peter Valian Network & Systems Administrator Southwestern University Georgetown, Texas 512.863.1586 office 512.863.1605 fax -- ********************************************************************** To unsubscribe from this list, send an e-mail message to majordomo@southwestern.edu containing a single line with the words: unsubscribe netreg Send requests for assistance to: owner-netreg@southwestern.edu **********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:35 CDT