Author Topic: is there a way to validate user password and MAC address  (Read 2257 times)

redshadow17

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
is there a way to validate user password and MAC address
« on: October 12, 2012, 12:53:56 am »
is there any way to validate user password and MAC address when a pc client authenticate to my zential domain??

let s say i have 2 pcs in my network, the PC 1 is for john and the PC 2 is for peter

Both have their respective credentials to access to the zentyal domain. but john may not use peter' s computer and peter may not use joh's computer. Im sure this done with the MAC address, but i have not idea how to do it

please help me
« Last Edit: October 12, 2012, 12:58:56 am by redshadow17 »

christian

  • Guest
Re: is there a way to validate user password and MAC address
« Reply #1 on: October 12, 2012, 05:40:18 am »
I'm afraid you can't for the time being.
What you describe can be solved implementing RFC 3118 (sorry for the confusion with "request for change currently discussed  ;))
BTW, this is potentially an interesting point to be added to "new feature request".

I never used this mechanism and can't help you that much.
What you could do is to use authenticated DHCP from external device (some Cisco boxes provide it if I'm not wrong. Have a look here).

This RFC is quite new and implementations, for what I understand but my last search was long time ago, vary.
Furthermore, I don't understand yet how authentication can make the link between valid credential for given user and associated MAC address. Perhaps Google can help but at the end, this would require to maintain this association somewhere, why not in LDAP.
Well tracks for investigation, not solutions, I know  :P :P

christian

  • Guest
Re: is there a way to validate user password and MAC address
« Reply #2 on: October 12, 2012, 05:55:00 am »
As your question is a very interesting one  ;) I made some additional searches.
- Very interesting papers here and also here for those wiling to look closer.
- I also attach here presentation focusing on DHCP + Kerb auth. (for IETF)

However I can't find anything bringing this link between MAC address and user account  :-\

ichat

  • Zen Hero
  • *****
  • Posts: 795
  • Karma: +28/-16
  • RTFM!
    • View Profile
Re: is there a way to validate user password and MAC address
« Reply #3 on: October 12, 2012, 06:15:29 pm »
to me this sounds really upside-down, 

while most projects are increasing the efforts of bringing more flexible solutions to thair network you are actually trying to get less.

i think that christian has already shared a few options, 
> how it could be done,
but it hasn't been discussed
> why it should be done

it think that, for a while now,  its mostly common practise to look at the information,  in the desktop and not so mutch to looking at the machine its running on.  especially with for example  VDI or Terminal services (ltsp in our case),  it should not matter so mutch on witch physical device a desktop is running,  and user data is already stored seperately from other user data.

is there a technical or legal reason why you want to distinguish between  these 2 pc's...?
All tips hints and advices are based on my personal experience.
As I try my best to be as accurate as possible, following my advice is always at your own risk,
I claim absolutely NO responsibility in any way!

christian

  • Guest
Re: is there a way to validate user password and MAC address
« Reply #4 on: October 12, 2012, 06:33:11 pm »
Indeed I can see any strong reason to build and verify this pairing "user + MAC' at infrastructure level. This needs to be discussed further before designing solution.
It does make sense obviously to enforce security client side to ensure only authorized user(s) is(are) accessing devices (s)he is allowed to use.

However this question raises a more general one, not yet really addressed and also highlighted by your last comment about the fact that devices are more and more mobile.
In some areas, it make sense to not provide with valid IP address any device that will request DHCP server. This is what RFC3118 targets. Are you, Zentyal users, facing this kind of requirement? (rephrasing it, would it be mandatory, nice or useless to ask for authentication before allocating IP in valid subnet ?)