How to make sure clients use only the IP assigned via DHCP

Question

We want to limit the users' Internet usage on a daily traffic basis but not the local network bandwidth. Our users are on different platforms (Windows, Android, IOS), therefore it is not possible to force any policies by e.g. Active Directory, and if it would be possible, it would limit the whole bandwidth.

The only way that remains is to do the limitation on an IP basis at the edge of the network. This is possible using Mikrotik or other firewalls. But the problem is, that users can change their IPs when the limit is reached, and they can continue using the internet bandwidth.

So the idea was to make sure that users can only pass when their mac address and the IP assigned through our DHCP server match. This should be possible in cisco switches and could be done on the core switch. I think I have read something about the connection between Cisco Switches and the DHCP Server.

The question is how is this possible, or is there any other solution that might be easier and more efficient?

We use APs, Cisco 2960 switches, and a Cisco 4500 as a core switch. Our DHCP is FreeBSD but we are willing to change it if it is needed. The authentication method for our APs is 802.1x.

EDIT:

We tried a solution using RADIUS server which gave us the possibility to know how much traffic was used by each user (through port 1812/1813), but the problem was the only way to limit the user is to not allow him to connect when his limit was reached. That means, until the user doesn't reconnect, he is able to download without any restriction.

We also thought of a Proxy server as a solution, but we had two problems:

We had performance issues with squid and installing squid as a transparent proxy is too much work.
Other proxies also had performance issues, and those who performed well, didn't have the feature to be used as a transparent proxy.

This seems like a people problem more than something that requires a technical solution. — ewwhite, Oct 14 '14 at 12:06
Wouldn't it be easier to install a proxy server with authentication and limit access to the internet this way? — Thomas Stinner, Oct 14 '14 at 13:00

score 6 · Answer 1 · answered Oct 14 '14 at 15:06

You're better off doing this at layer 7 versus layer 2 or 3.

Devices can have their MAC changed as well as their IP address. (It's harder for a user to change their MAC but it's still possible.) If you've got people changing IP addresses to get around restrictions it's only a matter of time before they'll be changing MAC addresses, too.

There are a couple of solutions I can think of off the top of my head.

A captive portal that requires the user to authenticate using a per-user credential (RADIUS back to your Active Directory, for example) would give you per-user accountability. There a variety of products out there, both commercial and free/open source that can do this.
Force users to connect to a VPN using a per-user credential to get access beyond the wireless subnet.

Both of these methods don't require a tedious IP to MAC cross reference and would scale easily when you add new users / devices.

Thank you for your answer. That's right, changing the MAC address would mess up everything again. But we thought that would be too time-consuming to be an everyday solution for the users. But if we came to a solution like a transparent proxy server that would have good performance we could just let everyone connect to our APs and than just ask for credentials before we let them access the internet. — MiM, Oct 15 '14 at 11:11

score 0 · Answer 2 · answered Apr 03 '23 at 11:37

The quick solution is to configure your ARP on that interface to reply-only mode. Then allow the DHCP server to insert ARP records.

So the static IP configuration on the client side will be useless, even if configured with the same data as the DHCP server assigned before.

It's easy to implement on Mikrotik ROS but I don't know the configuration on CISCO IOS.

Glueon · Answer 3 · 2014-10-14T12:55:36.717

0

You may use ebtables to filter packets by MAC address with wrong IP, like:

ebtables -N USER
ebtables -A FORWARD -p ip -i eth0 -j USER
ebtables -P USER DROP
ebtables -A USER -p ip --ip-src 192.168.0.52 -s 00:52:2c:be:ac:2a -j ACCEPT
ebtables -A USER -p ip --ip-src 192.168.0.23 -s 01:51:2d:be:pc:1b -j ACCEPT

Here we allow user with MAC 00:52:2c:be:ac:2a only to use IP 192.168.0.52 and same for others. But as a far as I know iOS (and other i guess) phones reset MAC address on every connection for security reasons to make it impossible to track device migration from one Wi-Fi hotspot to the other. So it's not 100% correct to rely on MAC address.

Another way to solve this problem is maybe to introduce L2TP and allow Internet traffic only over it. You'll give each user a user/password pair and assign static IPs. Then you'll be able to monitor traffic by IP.

edited Oct 14 '14 at 12:55

answered Oct 14 '14 at 12:03

Glueon

3,664
2
24
32

This solution is impossible, because the number of clients is more than 500 PCs and some portable devices. also i don't think phones and other portable devices reset MAC Address on every connection!! i'm sure and I checked in my APs. – MiM Oct 14 '14 at 12:49
Then ebtables + DHCP is your solution. I was talking about http://9to5mac.com/2014/09/26/more-details-on-how-ios-8s-mac-address-randomization-feature-works-and-when-it-doesnt/ http://venturebeat.com/2014/06/19/why-ios-8s-mac-address-randomizing-is-a-huge-win-for-privacy/. Android devices do not do that automatically so it's a small chance you will run into problem. – Glueon Oct 14 '14 at 12:55

How to make sure clients use only the IP assigned via DHCP

3 Answers3