[rbak-nsp] CLIPS and DHCP option82
Blake Willis
blake at ibrowse.com
Thu Jul 16 12:51:15 EDT 2009
On 16 Jul 2009, at 18:00, redback-nsp-request at puck.nether.net wrote:
> I am using CLIPS with RADIUS authorization on SE100. Users
> authorized by
> their MAC, switch MAC and switch port (from DHCP option82).
> E.g. if SE100 received request from known MAC but from other switch/
> port -
> user will be rejected.
> So if one user sets in his network driver MAC of his neighbor -
> user will be
> rejected.
> But there is one bug: if SE100 received DHCP request from mismatched
> switch/port when CLISP session for this MAC already active - SE100
> does not
> send authorization request to RADIUS and user will obtain IP
> settings from
> active session.
> So if user "A" turns off his PC (CLIPS session still active), than
> user "B"
> sets in his network driver MAC of user "A" - user "B" "joins" CLISP
> session
> of user "A" and will get traffic, prepaid by user "A".
Добрый день Илья,
We handle this by setting the port security and mac learning timeout
on our switches to the same value as our CLIPS timeout, so that
what's happening in the layer 2 network corresponds to what's going
on in the smartedge. "Sticky" port security helps this, and we'll get
a mac-move trap if someone were to try to grab another user's mac on
a different port during the timeout period. In general, mac security
is a problem that has to be solved at layer 2...
Good luck.
-Blake
---
Blake Willis
Network Architect
iBrowse
More information about the redback-nsp
mailing list