From owner-freebsd-questions@FreeBSD.ORG Tue Apr 4 13:52:26 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D3B816A401 for ; Tue, 4 Apr 2006 13:52:26 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: from sigma.octantis.com.au (ns2.octantis.com.au [207.44.189.124]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07FB543D45 for ; Tue, 4 Apr 2006 13:52:25 +0000 (GMT) (envelope-from freebsd@meijome.net) Received: (qmail 11447 invoked from network); 4 Apr 2006 23:52:25 +1000 Received: from 210-84-32-140.dyn.iinet.net.au (HELO localhost) (210.84.32.140) by bravurasolutions.co.nz with (DHE-RSA-AES256-SHA encrypted) SMTP; 4 Apr 2006 23:52:25 +1000 Date: Tue, 4 Apr 2006 23:52:22 +1000 From: Norberto Meijome To: Mark Jayson Alvarez Message-ID: <20060404235222.3664b960@localhost> In-Reply-To: <20060403073449.1238.qmail@web51602.mail.yahoo.com> References: <20060403073449.1238.qmail@web51602.mail.yahoo.com> X-Mailer: Sylpheed-Claws 2.0.0 (GTK+ 2.8.16; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: ipfw plus authentication??? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Apr 2006 13:52:26 -0000 On Mon, 3 Apr 2006 00:34:49 -0700 (PDT) Mark Jayson Alvarez wrote: > I am looking for ways to manage our LAN by having each user register > their ipaddress, mac address, workstation os, etc. in our ldap > directory. Now in our pcrouter, the users will first send his login > credentials to the pcrouter, and then the pcrouter will check against > ldap if this login is correct, and if it is, then it will now do an > ldapsearch/compare operation to see if the source address (ip/mac) of > the user trying to gain network access is indeed belongs to that > user. Only then, the ipfw ruleset will be changed to allow traffic > originating from this source address... Something like a captured portal for wireless? (is that what they were called? :D ) I like the idea though btw, why you will be trying to lock down by ip/mac... you need to make sure the users cant change this at their end... Why do the users set their own IP? dhcp.... I remember reading somewhere about authentication at the DHCP level... from memory, with managed switches and disabling the port via snmp (for a period) if there was something askew. B