[Dnsmasq-discuss] Re: Using Machine Name to Allocate IP Address

[richardvoigt at gmail.com]

On 6/3/07, Rajeshwar <rajeshwar at primesoftsolutionsinc.com> wrote:
>
>
>
>
> Hi,
>
>
>
> I installed a dnsmasq.conf file successfully. And the DHCP is working fine.
> My requirement is I want to do MAC based authentication.
>
>
>
> When I tried to give the MAC address = IP Address. Its not taking
>
>
>
> Example:
>
>
>
> I have 10 computer and 5 laptops in my organization. If somebody will bring
> the laptop and plug the network cable he will get the IP where he can see
> all the data. Which Is wrong. The moment he will plug the cable he should
> not get the IP because the mac address is not in the file.
>

Your whole approach is broken due to a fundamental misunderstanding of
a network.  First up, DHCP isn't required for network access, so
dnsmasq cannot enforce any sort of authentication to the network.
That's why there is no provision for authentication in dnsmasq, as far
as I can tell.  Any intruder could simply enter a static IP address
and bypass dnsmasq entirely.  The only place you can enforce access
restrictions is in a packet filter (firewall).

Secondly, the MAC address isn't usable for authentication because the
intruder can report any MAC address he pleases, and it would only be a
matter of seconds with a packet sniffer to find an approved address
used by an existing device.  I'm fairly certain there is already
software to do this automatically, because the MAC authentication idea
is implemented by a lot of wireless access points.

So, find another way to authenticate your users, and run the access
check somewhere that counts, like a device that the traffic has to go
through to reach your sensitive data (either a hardware firewall or
the server itself).  And then make sure the data is encrypted, because
otherwise someone can steal the data when some other user accesses it.