Cisco switches has a feature where it can enforce the use of DHCP assigned IP. (Prevent IP spoofing) http://en.wikipedia.org/wiki/DHCP_snooping
With this in place it becomes a matter of logging DHCP assignments, or fixing IP to MAC assignments. Much less hassle for your users, than having to log into a captive portal every time. If they really wanted to they could even spoof IP and MAC, of someone who has already authenticated earlier. On 17 May 2013 01:28, Ryan Hiebert <r...@ryanhiebert.com> wrote: > I'm trying to create a captive portal that doesn't deal with dns or > dhcp, just routing, but can give me accurate logs of who had what IP > address, and what mac address was associated at any one given time. > > My captive portal is only for people that are included in my > organization, so it is for the purpose of identification rather than > policy enforcement or payment. > > My plan was to: > 1. Register mac addresses to users > 2. Redirect users to the captive portal based on the MAC address. > 3. Auto-log MAC addresses to IP addresses for back-tracking things > like DMCA notices, etc. > > If you've got ideas for number 2, I'd be interested to hear them, but > I've not done my research on that yet, so I might yet be able to > figure that out by myself. > > What I'm hoping for guidance on is #3. This is a router, and I'm not > trying to know about every private IP that happens on the network, > only stuff that gets routed. The thought that occurred to me was > following the ARP table updates. Nothing can be routed without getting > in the arp table (I think that's a valid assumption), so if I can be > notified of changes to the ARP table as they happen, with some > assurance that I won't miss something, then I can rely on that. > > A google search suggested 2 options: > > 1. arpwatch or similar. Uses tcpdump to filter to arp packets. The > problem with this is that it will have a bunch of useless arp packets > that have nothing to do with routing, since it will see all arp > traffic. > 2. rtnetlink. This looked like a good option, as it can look at the > arp table itself. I can query it, I can add to it, but AFAICT, I can't > register a connection and get notifications, I'd have to poll the > interface, which is defeating the purpose. If I wanted to poll, I'd > use and parse the arp command. > > I also thought of a 3, but I'm not sure if its reasonable or possible: > 3. Get iptables or similar to log unknown mac/ip pairs that it sees. > > If nobody has suggestions, or this isn't the right place to ask about > this, maybe you could point me to a better place, as I've not been > able to think of a better one. > > Thanks for any help you can give, > > Ryan Hiebert > > > -- > To UNSUBSCRIBE, email to debian-firewall-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > http://lists.debian.org/CABpHFHTV3YVW++eKxveiAKLmTZMJtEBz9BKf=rowapfk1px...@mail.gmail.com > >