From owner-freebsd-net Wed Sep 13 21:27:22 2000 Delivered-To: freebsd-net@freebsd.org Received: from gluttony.henshaw.net (gluttony.henshaw.net [63.70.222.4]) by hub.freebsd.org (Postfix) with SMTP id D903237B42C for ; Wed, 13 Sep 2000 21:27:19 -0700 (PDT) Received: (qmail 1857 invoked from network); 14 Sep 2000 04:27:16 -0000 Received: from dhcp-64-58-25-247.henshaw.net (HELO ben.henshaw.net) (64.58.25.247) by gluttony.henshaw.net with SMTP; 14 Sep 2000 04:27:16 -0000 Message-Id: <5.0.0.25.2.20000913221340.00a04950@pop.henshaw.net> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Wed, 13 Sep 2000 22:27:17 -0600 To: freebsd-net@freebsd.org From: Ben Schumacher Subject: netgraph based MAC authentication Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello- I'm working on a project where I need to be able to authenticate people by their MAC address against a RADIUS server. While looking into the best way to develop this, I starting toying around with netgraph and think it is the perfect framework for what I'm trying to do. Basically what I'm going to need to do (AFAIK) is divert the packets coming from one ethernet card (dc0) to my netgraph node, verify their MAC address, and then push their packet on its way. However, I'm still not entirely certain how to implement this. The way I envision this, people will power on their machines which will be connected to my box via an interface (dc0 for right now), then they'll try to get an address via DHCP. When their DHCP packet comes, it'll contain their MAC address which will then be authenticate in my node. If they packets are authenticated, they are passed on as normal, and if authentication fails all further packets from their MAC address will be discarded. So my node will hook into 'divert' on my ether card, and then do the authentication (or compare it to a table of already authenticated/failed MACs) and then pass or drop the packet. I guess the part that's stumping me most right now, is where the node will pass the packets that are allowed. If anybody can give me any hints as to where I should go with this, it would be much apprecaited. I'm sorry if it seems like I repeated myself a couple times in this email (I feel like I did), but I just wanted to make sure that I was drawing a complete picture of what I'm trying to do. Thanks in advance, - Ben Schumacher To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message