0

I have configured a DHCP server on Ubuntu and a fixed IP address for a specific mac, like this:

host client1 {
  hardware ethernet E0:69:95:73:2C:66;
  fixed-address 192.168.0.10;
}

If anyone changes his/her mac to E0:69:95:73:2C:66, they get the 192.168.0.10 IP and now two PCs use the Internet simultaneously on the same IP. How can I protect against this unauthorized access?

womble
  • 95,029
  • 29
  • 173
  • 228
Jerry
  • 179
  • 2
  • 8
  • 19

3 Answers3

4

If your switches support it, you can use LAN authentication with 802.1X.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • thanks SvenW, I use a simple switch, are there no alternative ways? – Jerry Mar 21 '12 at 11:40
  • You could set up a captive portal or a proxy requiring authentication before allowing internet (http) access. This won't restrict the IP assignment though, only limit the use the "attacker" has from his stolen IP address. – Sven Mar 21 '12 at 11:43
  • 2
    @SvenW: A captive portal won't help if the attacker takes the same MAC address and IP, as the traffic will already have been authorised by the legitimate user. You'd need a fully-authenticating proxy, which rules out and sort of transparent option, and since the attacker is on the LAN, would need to be fully-encrypted. At some point, you just say "stuff it" and either buy a decent switch, or mandate a VPN for everything. – womble Mar 21 '12 at 11:52
1

You need a switch that either has 802.1x as was mentioned or the one that lets you assign certain MAC to port. Also you can use VPN to minimize the consequences of spoofing, both users will loose connection though illegitimate user won't be able to access the resources, trafic won't be authenticated automatically.

hidden_4003
  • 164
  • 3
-1

It's not possible. They may both be using the same MAC address (by way of MAC spoofing). But they're not going to have simultaneous internet connectivity. First off, there would be an ip address conflict. Second, the switch wouldn't forward traffic properly as the MAC address would be registered on multiple ports. Third, even if the switch did work properly, traffic flow would be sketchy at best as both computers would answer for ARP requests for the MAC address in question.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171