Find the answer to your Linux question:
Results 1 to 3 of 3
Hi, I have a dhcp server running under ubuntu with a large number clients (2000+) I would like to limit users to my network based on their MAC addresses. I ...
  1. 02-12-2009 #1
    floydgorilla
    floydgorilla is offline
    Just Joined!
    Join Date
    Feb 2009
    Posts
    1

    DHCP HELP "unknown-clients"

    Hi,

    I have a dhcp server running under ubuntu with a large number clients (2000+) I would like to limit users to my network based on their MAC addresses. I know that I can set up an entry in the dhcpd.conf to assign specific IP for a specific host but I feel that would become too large and difficult to manage. I am aware of the "deny unknown-clients" entry but I do not understand how I define my known clients. What I am hoping to do is create a text file that contains all of my allowed MAC address and have the dhcp server look to this file to assign an IP

    Does anyone know if this is possible and if so how to do it?

    Thanks in advance

    Joe Luscre
    Network Manager
    Kent City School District
    Reply With Quote Reply With Quote
  2. 02-14-2009 #2
    AdmiralBeotch
    AdmiralBeotch is offline
    Just Joined! AdmiralBeotch's Avatar
    Join Date
    Feb 2009
    Location
    Las Vegas, NV
    Posts
    17
    Just curious... is this an attempt to keep unauthorized users/devices off your network?

    If so, my personal opinion is that you're going to be spending a lot of time managing these macs and no additional protection against an even slightly persistent student/hacker. Once they can determine the IP info from a legitimate machine, or sniff it, it's over and you'll be sleeping well at night with a false sense of security.

    If you wanted to get a little more protection, you could create a separate broadcast domain (vlan) for dhcp clients with an iptables firewall doing mac filtering and routing. That will prevent someone from simply guessing an IP and accessing the rest of the network. They could still however guess a valid mac and bypass the firewall, but hopefully, that would cause some networking issues with an authorized client and you would be inclined to investigate it.
    Reply With Quote Reply With Quote
  3. 02-14-2009 #3
    Freston
    Freston is offline
    Linux Engineer Freston's Avatar
    Join Date
    Mar 2007
    Location
    The Netherlands
    Posts
    1,047
    Welcome to the forums!

    I think what you are looking for is /etc/ethers... it's pretty straightforward
    Code:
    man ethers
    You do need to set your dhcp.conf to read this file. In dnsmasq that is done in this section:
    Code:
    # If this line is uncommented, dnsmasq will read /etc/ethers and act
# on the ethernet-address/IP pairs found there just as if they had
# been given as --dhcp-host options. Useful if you keep
# MAC-address/host mappings there for other purposes.
#read-ethers
    I'm sure dhcpcd will have something similar.

    AdmiralBeotchs advice stands though, there are very good reasons to use a config like this but security isn't one.
    Can't tell an OS by it's GUI
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

...