Web-Based DHCP Server Frontends?

Strog writes "We are securing our administrative network and one thing we decided to implement is allowing only known MAC addresses get an address from the DHCP server. The techs aren't very Unix-centric so we would prefer to keep them out of the server directly. A web-based admin tool is what we are looking for. I've used webmin for a while but it likes to give each host a nice little icon which wouldn't be so good once we get all ~750 machines entered. Dixie looks good too but leaves a few too many options for techs to look at. I'm in the process of hacking webmin into what I need but wondered if anyone out there has some good options to offer. What we really need is boxes for hostname, MAC address and apply button and a list of current entries and a delete button." This was recently asked on a mailing list, but so far, no answers have been given. Might someone here have experience with such software that they would like to share?

Perl

[droyad]

Sounds like a job for a good Perl script using CGI

webmin doesnt have to show icons

[NateSac]

I hope this helps you. If you click on the module config button in webmin, the second option from the top is labled;
Display subnets and hosts as _ Icons _ List
If you set this option to list, webmin wil not display an icon for each host. Further more, if you have a large number of DHCP clients, you may also want to use groups to help organize some of those clients into smaller lists.

Re:webmin doesnt have to show icons

[Strog]

I submitted this article Friday so I've had some time with webmin this weekend.

Goto your theme directory and put noicons=1 in the config file (/usr/share/webmin/themename/config in my system). This gives icons in the categories but none in the module itself. This looks like it will scale up to hundreds of entries with ease. I have 150 in my test machine now and you don't have to scroll much yet.

I'm editing out all the unneeded fields and buttons in the cgi files now. Mostly consists of rem'ing out the print statements in the index.cgi, edit_host.cgi and params-lib.pl files so far. I've got the buttons down to create, save, delete and apply.

I can't seem to get rid lease time, dynamic DNS and a couple other options without it breaking. It tries to send a null instead of going with the default. It's really in a workable state for us right now but I'd love to get it down to our 2 boxes we want and nothing else.

It is said that 10% of the project takes 90% of the time. Looks like it is holding up here on this project for me.

FYI...

[m0rph3us0]

I'm assuming this is for some kind of security measure. Have you implimented something like proxy arp so that people can't just listen for arp requests and have a list of valid MACs for use at a later time? It is rather easy to change your MAC on most network cards, especially the popular Realtek 8139s

An icon? is that all?

[tongue]

if all that's preventing webmin from serving the purpose you need is an icon for each client, then for pete's sake, modify the source or replace the icon with a 1 pixel jpg or something. that's the whole point of open-source right?

Coding

[JohnFluxx]

Have we gotten to the stage where regular sysadmins can't code these days?

If you can't do it, go to a secondary school and get someone to write the program for you.

Re:Coding

[Rick+the+Red]

Perhaps you're asking the wrong group. Did you try comp.unix.admin?

Re:Coding

[JohnFluxx]

Surely I could say almost exactly the same thing - ask slashdot should be for useful questions, not "Has anyone written a 10 line long program to do what i want".

Two major problems

[TheSHAD0W]

I see two major problems with your authentication scheme.

First off, you have a catch-22 in the assignment system. You don't want to give a DHCP address to a system without its being authenticated, but your system won't be able to hit the net and get to the administrative machine to BE authenticated. Aside from manually typing in the MAC address on the main server, which I think someone would find annoying. I suppose you could DHCP unrecognized machines to an intranet address that's null-routed except for that admin machine, which would ask for a password, sniff the MAC address, and then add it to the DHCP system.

But there's an even larger flaw with your scheme, which is that there's nothing keeping users from turning off DHCP and choosing an unassigned IP, letting anyone with a little know-how hijack your connection without going through your authentication and possibly cause conflicts on your network. DHCP is MEANT to be easy; add complications and you've ruined the whole point of having it.

If you want to have a secure network, you're going to have to use a whole different system, such as using a protocol like PPPoE (unencrypted) or PPTP (encrypted) to log in to a central station and then have that machine handle routing, etc. From an ease-of-use standpoint, this would be a lot simpler, both for end users and your inexpert managers; they add a name and password to the list, and each user needs his name and password to log in. If someone changes hardware, no problem.

Re:Two major problems

[TheSHAD0W]

> Did I mentition that this is a college?

Then your answer is clear. Push for the board to look at the solutions other colleges have used, tell them that the others have already solved all the problems they're about to face, and they should adopt a complete package instead of trying to roll their own. Kerberos would do really well, and it'd be free.

Re:Two major problems

[akb]

Use vlans then to make unathenticated stuff go to a web form, the web server then talks to your network management software to put the MAC on the whitelist.

NetReg

[bongoras]

NetReg is an automated system that requires an unknown DHCP client to register their hardware before gaining full network access. Through a simple web interface, the client is prompted for their user identification. Powerful scripts then retrieve the client's network fingerprint and store it along with the user's information in a database. The database provides administrators with real-time information for troubleshooting and auditing their networks. The entire system was developed utilizing unmodified, open-source servers and in-house developed CGI programs.

http://www.netreg.org

Dont bother

[photon317]

DHCP "security" by only giving addresses to known mac addresses doesn't buy you anything. Anyone can still plug in and grab an address statically anyways. The only way to enforce this would be a manual static arp table in every machine (including the router) and disable true arp, and at that point you may as well stop using DHCP too. Even then you still have to take other measures to make it really work.

Just run plain old wide-open DHCP, and implement network policy where it belongs - at the L3 devices like firewalls, L3 switches, routers - and in user AAA, be it windows domain logon, LDAP, or what have you.

Geez, why even use DHCP?

[argel]

You might as well static the IP addresses and shut the DHCP server down.

not secure

[austad]

This doesn't accomplish much, as a user can just manually assign an ip. Why not turn on port security on your switches and only allow certain MAC addresses on certain ports. Obviously, I don't know what kind of switches you are using, but since most of the world seems to be using Cisco, that's probably what you have and those will do it just fine.