[rbak-nsp] CLIPS and DHCP option82

Blake Willis blake at ibrowse.com
Thu Jul 16 12:51:15 EDT 2009


On 16 Jul 2009, at 18:00, redback-nsp-request at puck.nether.net wrote:

> I am using CLIPS with RADIUS authorization on SE100. Users  
> authorized by
> their MAC, switch MAC and switch port (from DHCP option82).
> E.g. if SE100 received request from known MAC but from other switch/ 
> port -
> user will be rejected.
> So if one user sets in his network driver MAC of his neighbor -  
> user will be
> rejected.
> But there is one bug: if SE100 received DHCP request from mismatched
> switch/port when CLISP session for this MAC already active - SE100  
> does not
> send authorization request to RADIUS and user will obtain IP  
> settings from
> active session.
> So if user "A" turns off his PC (CLIPS session still active), than  
> user "B"
> sets in his network driver MAC of user "A" - user "B" "joins" CLISP  
> session
> of user "A" and will get traffic, prepaid by user "A".

Добрый день Илья,

	We handle this by setting the port security and mac learning timeout  
on our switches to the same value as our CLIPS timeout, so that  
what's happening in the layer 2 network corresponds to what's going  
on in the smartedge. "Sticky" port security helps this, and we'll get  
a mac-move trap if someone were to try to grab another user's mac on  
a different port during the timeout period.  In general, mac security  
is a problem that has to be solved at layer 2...

Good luck.

  -Blake

---
  Blake Willis
  Network Architect
  iBrowse


More information about the redback-nsp mailing list