>> Can you elaborate on this? Sure, NP!
The only check the gaming registration portal does is to make sure the MAC it is given has the correct OUI, if it does the portal registers the device under the user ID of the person who fills out the form. Let's say that Bob has an Xbox, he uses the portal page to register his Xbox and is now happily playing CoD:MW instead of chatting up the ladies on campus. Bob's nemesis, Gary, decides that he wants to mess with Bob. So, Gary finds Bob's Xbox MAC and goes to the portal page and fills out the form using Bob's MAC. According to my system Bob's Xbox now belongs to Gary. But this is where I get a bit confused, because while they are swapping names in my records, nothing else is happening. They are staying on the gaming vlan. I don't see any real danger other than 2 idiots getting into some kind of registration war. However, for me there is another problem. We are considering removing the OUI check from the portal and using it as a general registration page for devices that do not have a traditional browser. Devices like smart TVs, BluRay players, etc.. With this Our intrepid user Gary could, if he was crafty enough, find MY MAC. Now, as you can see, I am The Godfather of Bandwidth. My stations have unfettered access to the network (what can I say, sometimes it's good to be me ... sometimes). Gary in what he considers to be a stroke of genius decides to re-register my MAC using the portal. Now my laptop is on the gaming vlan and my access is severely hampered. In the intervening 3 1/2 minutes it takes me to figure out the issue and fix it (and blacklist Gary) Gary could have done the same to a dozen more people since I have been forbidden from setting a limit on the number of devices a person can have registered. Anyway, there is my concern. Ideally, a simple check to make sure the device is not already registered could solve all of this. And frustrate Garys everywhere. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton TX. 76513 Fone: 254-295-4658 Phax: 254-295-4221 HTTP://WWW.UMHB.EDU -----Original Message----- From: Jason Frisvold [mailto:[email protected]] Sent: Wednesday, August 14, 2013 2:34 PM To: [email protected] Subject: Re: [PacketFence-users] Potential Concern in Gaming Registration Portal Sallee, Stephen (Jake) wrote: > Hello! > > The gaming portal does not do any checking to see if the device you > give it is in a state that need to be registered. > > The net effect of this is that a user can effectively hijack another > user's device. Can you elaborate on this? I'm not sure what you mean by "in a state that needs registered" .. Do you mean that someone can effectively hijack a MAC address and re-register it as something else? > Although ... I'm not sure what a user could gain from doing this ... but > anyway , there it is. > > Jake Sallee -- --------------------------- Jason 'XenoPhage' Frisvold [email protected] --------------------------- "Any sufficiently advanced magic is indistinguishable from technology.\" - Niven's Inverse of Clarke's Third Law ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
