[Maintain] First time user questions

Keith Rinaldo keithr at unr.edu
Tue Mar 29 11:14:13 PST 2005 

Hi Brandon, thanks for getting back to me so quickly.  I was starting to
wonder if I was the only member of the list.  :)

>Looks like we are starting something ;-)

That's the idea!

>Maintain is used here at OSU to do registration of unknown hosts in the
dorms.  Basically what you have
>to do is have a pool for unknown clients that gives them a DNS server
that only has an entry for the
>registration server.  

That's the basis of how the NetReg system from Southwestern University
works.  Machines that are registered get their MAC addresses listed with
host entries in the dhcpd.conf file, non-listed hosts get an IP in a
different address space (like 192.168.X.X for instance) with false DNS
servers and such, so that they are always directed to the registration
page.  Since Southwestern's NetReg has a pretty loyal following, the
users and developers swear by it.  It is, however, a little old, in my
opinion.  It really needs a freshening up and a code rewrite (in fact
there's a SourceForge project called phpNetReg, which is a complete
reimplementation, but they have not released any files yet) -- and I
don't know how far off a major update/overhaul of NetReg is.  They have
done some neat things, though, like the ability to plug in Nessus scans
and such during the registration process.

>The problem with this sort of system is that people can easy side-step
it by setting a static IP, so some
>type of firewall solution would be better.  

I'm not sure that a firewall is the solution here.  We used to have
authentication forced on one of our firewalls that sits in front of the
residence halls... and that worked OK for a while.  It became
non-optimal though, and doesn't scale to a full campus all that well.
There are other things out there like 802.1X port-based authentication,
but that's a huge overhaul of an infrastructure and operations in
general.  I wrote some scripts a few years back that gathered ARP
information from our routers and compared IP->MAC pairs with what was
registered in the database.  If it caught a non-registered MAC using an
IP it wasn't supposed to, it blocked the MAC from the network and
notified admins.  It worked pretty well.  There are some plugins, I
believe, for NetReg that do similar things.

My interest in Maintain comes from the fact that it seems to be much
more up-to-date and fresh in terms of code, and unless I'm mistaken,
it's written in all (or mostly) PHP, which I like much better than
trying to deal with convoluted Perl modules that go here, there, and
everywhere (even well-written Perl can be a MONSTER to try and deal
with!).  Since I'm looking to roll out a host registration system, if
Maintain can do the things I'm looking for, this might be the way to go.

My curiosity is definitely piqued.  :)

---
Keith Rinaldo
Network Security Administrator
University of Nevada, Reno
keithr at unr.edu




 

-----Original Message-----
From: Brandon Philips [mailto:brandon at osuosl.org] 
Sent: Tuesday, March 29, 2005 10:58 AM
To: Keith Rinaldo
Cc: maintain at lists.osuosl.org
Subject: Re: [Maintain] First time user questions

Keith,

> Hi, I haven't seen anything on the list either.

Looks like we are starting something ;-)

> I was mainly curious about the use of Maintain in similar fashion to 
> NetReg?  Anyone have any thoughts on a forced-registration system with

> Maintain?

Maintain is used here at OSU to do registration of unknown hosts in the
dorms.  Basically what you have to do is have a pool for unknown clients
that gives them a DNS server that only has an entry for the registration
server.  

The problem with this sort of system is that people can easy side-step
it by setting a static IP, so some type of firewall solution would be
better.  

Thoughts?

-bp


--
Brandon Philips
brandon at osuosl.org
"Open minds. Open doors. Open source." - osuosl.org

More information about the Maintain mailing list