2

I would like to know what are the good way to identify users on a large lan party when you manage network ?

I had the idea to make the users register them self at a desk, they give us Firstname, Lastname, MAC address, then we give them an IP linked to this mac address (permanent lease on the DHCP server), but how could I prevent them to change the IP while disabling the DHCP mode ?

Is there a way to force them to use the DHCP assigned IP ? Is 802.1x a good solution for this ? Maybe too heavy and complicated to setup (I never used it, but I think there is something to do on the computer to connect on the network)

The idea would be to be able to identify the user with it's IP address on the Firewall log to identify hacking attempts or any suspicious activity.

What are your experiences about this ? What do you recommend ?

Kedare
  • 129
  • 5
  • 2
    Why do you want to identify the users? They could simply provide you a fake name. The simplest way to do what you want would be to do what you planned on doing. I don't understand your concern about disabling DHCP mode. If you disable it on the router, and instead assign ip addresses by hand, anyone without access to the router cannot change its settings. Just be sure to disable WPS. – Ramhound Feb 15 '12 at 14:27
  • 1
    FYI, 802.3x is flow control, you mean 802.1x http://en.wikipedia.org/wiki/Ethernet_flow_control http://en.wikipedia.org/wiki/IEEE_802.1X – devnul3 Feb 15 '12 at 18:25
  • @Ramhound: We could request ID card at inscription. The problem is if I put IP by hand, nothing prevent the user from changing it. An idea I had would be to do an access-list that both check the IP and the Mac address on the firewall, and if the IP address is not used on the good MAC address, block the traffic. – Kedare Feb 16 '12 at 07:25
  • It sounds like what you want is Cisco DHCP snooping and dynamic ARP inspection http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/snoodhcp.html – devnul3 Feb 16 '12 at 15:26

1 Answers1

1

Why match IP to username? Why not simply match MAC address to their ID? Then it doesn't matter what the IP address is.

The only issue is whether they will/can spoof their MAC address, although, if you are in a wired environment, you can set MAC filters on the switches since you know the MAC addresses, and alerts on MAC table flooding.

All this is assuming they are all on the same network for this party and not going through routers.

schroeder
  • 123,438
  • 55
  • 284
  • 319