[unisog] NetReg Circumvention?

Marc Jimenez mjimenez at net.tufts.edu
Thu Sep 4 04:58:25 GMT 2003


Hi Brian,
	We have a psuedo-NetReg implementation (same concept, different
code) and we did see some hardcoding of IPs to circumvent the system. We
deal with it fairly effectively through a combination of policy and arp
log auditing. We poll our routers for their arp logs every five minutes,
and compare this to our DHCP leases. When we have a mismatch, we know the
MAC of the offender and can track it down to a switchport for enforcement.
	We don't have to do this very much.

	-Marc



Marc Jimenez
Network Engineering
Tufts University


"Read all instructions before applying adhesive."
-Large Print on Lid of Bucket; words to live by.

"Diplomacy" is saying "nice doggy" until you can find a big rock.
-Heinlein

On Wed, 3 Sep 2003, Brian Reilly wrote:

>
> For those of you who've implemented a NetReg or similar DHCP-driven
> solution for host registration, have you had many instances of users
> circumventing the process by just assigning themselves static IP
> addresses?  If so, how have you addressed this issue, and are you
> considering migrating to something like 802.1x or VQP as a result?
>
> Thanks,
>
> Brian
> --
> <reillyb at georgetown.edu>
>
>
>
>



More information about the unisog mailing list