Methods of binding a user to his IP on the network
There are many types of networks with different devices and principles of user identification for calculating traffic, cutting tariff rates and limiting network access to non-payers.
Each option has its own characteristics and disadvantages.
In this article I will try to tell about the most used methods of user identification that are successfully used in networks of small and large providers.
Bindings based on the so-called VPN:
User identification and access to the network is carried out on the basis of checking his username and password (login / password)
1) PPTP, L2tp - most often used in networks with unmanaged equipment or
unmanaged network segments (exceptions of Corbina Telecom + may still
some kind of network)
With this scheme, customer identification - to access the Internet, you need to raise
VPN tunnel, user identification occurs by login / password. Further
based on these attributes, the VPN server makes a request to Radius and that one already says
whether or not to release a client into the network + possible tariff rate of this client
(if shaping is carried out by means of the VPN server itself)
')
2) PPPoE - used in networks with controlled equipment (there are people who are in unmanaged
segments it is used, but it is a big risk as there is a high probability of the appearance of the left
PPPoE servers with all the consequences). As far as I know, this identification scheme applies.
operator Stream TV and Peterstar, this scheme is very similar to the scheme using
PPTP (PPPoE server + radius)
3) OpenVPN - theoretically it is possible to authorize users with it, but practical
I have not met using it for such purposes, if there are such operators - stick it with your nose :)
The so-called scheme of NIPP:
The user is identified in this case on the basis of his IP address, which must be protected from being changed.
Almost all of these schemes can be successfully used in networks with static IP addresses or in the case of using DHCP.
1) IP-Mac-Binding, most often used in networks built on D-Link switches. In this case, the switch means binds the IP address and MAC address to a specific switch port (depending on the switch and setting the function, ARP packets or TCP / IP packets can be analyzed); if this binding does not match, the user's MAC address is simply blocked on the switch and the packets from users are not going anywhere. When using DHCP, there may be nuances - the client sent a DHCP request, and the switch blocked it for the mismatch of the binding :) Naturally, the DHCP server should give the prescribed Mac - a specific IP. Not a very friendly way with respect to the user, because after changing the device connected to the network, the user's MAC address will also change, that is, the user will have to call the operator’s support and ask to change the MAC address of the binding
2) MAC address binding to port
This method of binding a user to a port is also used but not often.
The algorithm is simple, it simply binds the MAC address of the client's network card to the switch port, does not save from the substitution of IP addresses, but it gives the headache to the client and the operator.
3) Static ARP table (on a router or level 3 switch), very often used when using unmanaged switches at the access level
When a user binds to a port in the ARP table, the router’s MAC address is assigned to the user's IP address on the router or switch, the method is also inconvenient for the user + there is a possibility that a smart user can still exit under another IP address simply by changing the MAC address of his cards, such a binding costs 2 minutes :)
A variation is possible with a static ARP table and a binding of a specific MAC to the switch port, this method is more literate than just static ARP or a simple MAC binding to the port and therefore more securic, because in this case the client can change its IP, but to substitute someone else's MAC address is not.
4) Binding the user to the port using the switch's ACL (access control list), is used in my case. The way of binding the user is a little inconvenient for the operator, but the friendliest to him. With this binding, the following rules are created on the switch:
<Client IP> - <client port> - Allow
<all else> - <client port> - Deny
This method is convenient because the user can change the MAC as many times as he wants.
Address and access to the network, but when you change your IP - switch it does not
Will miss
5) By its VLAN per user
As such, there is no user binding, just the user is allocated his own VLAN and his own network, and there he lets him do what he wants in it :). Resource-intensive and imho not quite convenient method, but beautiful. Most often used for legal clients
6) Various Web Based and 802.1x bindings - you can not even consider. In this case, the client is identified by the login / password combination and is released to the network based on this data. It differs from the VPN method only in that it is not necessary to raise the VPN tunnel.
7) No binding at all.
There is also such a method and is even used somewhere, but there are no guarantees
that users will interfere with each other and steal the Internet by switching
your IP to your neighbor's IP, although in our age the unlimited is quite affordable for life
Each option has its own characteristics and disadvantages.
In this article I will try to tell about the most used methods of user identification that are successfully used in networks of small and large providers.
Bindings based on the so-called VPN:
User identification and access to the network is carried out on the basis of checking his username and password (login / password)
1) PPTP, L2tp - most often used in networks with unmanaged equipment or
unmanaged network segments (exceptions of Corbina Telecom + may still
some kind of network)
With this scheme, customer identification - to access the Internet, you need to raise
VPN tunnel, user identification occurs by login / password. Further
based on these attributes, the VPN server makes a request to Radius and that one already says
whether or not to release a client into the network + possible tariff rate of this client
(if shaping is carried out by means of the VPN server itself)
')
2) PPPoE - used in networks with controlled equipment (there are people who are in unmanaged
segments it is used, but it is a big risk as there is a high probability of the appearance of the left
PPPoE servers with all the consequences). As far as I know, this identification scheme applies.
operator Stream TV and Peterstar, this scheme is very similar to the scheme using
PPTP (PPPoE server + radius)
3) OpenVPN - theoretically it is possible to authorize users with it, but practical
I have not met using it for such purposes, if there are such operators - stick it with your nose :)
The so-called scheme of NIPP:
The user is identified in this case on the basis of his IP address, which must be protected from being changed.
Almost all of these schemes can be successfully used in networks with static IP addresses or in the case of using DHCP.
1) IP-Mac-Binding, most often used in networks built on D-Link switches. In this case, the switch means binds the IP address and MAC address to a specific switch port (depending on the switch and setting the function, ARP packets or TCP / IP packets can be analyzed); if this binding does not match, the user's MAC address is simply blocked on the switch and the packets from users are not going anywhere. When using DHCP, there may be nuances - the client sent a DHCP request, and the switch blocked it for the mismatch of the binding :) Naturally, the DHCP server should give the prescribed Mac - a specific IP. Not a very friendly way with respect to the user, because after changing the device connected to the network, the user's MAC address will also change, that is, the user will have to call the operator’s support and ask to change the MAC address of the binding
2) MAC address binding to port
This method of binding a user to a port is also used but not often.
The algorithm is simple, it simply binds the MAC address of the client's network card to the switch port, does not save from the substitution of IP addresses, but it gives the headache to the client and the operator.
3) Static ARP table (on a router or level 3 switch), very often used when using unmanaged switches at the access level
When a user binds to a port in the ARP table, the router’s MAC address is assigned to the user's IP address on the router or switch, the method is also inconvenient for the user + there is a possibility that a smart user can still exit under another IP address simply by changing the MAC address of his cards, such a binding costs 2 minutes :)
A variation is possible with a static ARP table and a binding of a specific MAC to the switch port, this method is more literate than just static ARP or a simple MAC binding to the port and therefore more securic, because in this case the client can change its IP, but to substitute someone else's MAC address is not.
4) Binding the user to the port using the switch's ACL (access control list), is used in my case. The way of binding the user is a little inconvenient for the operator, but the friendliest to him. With this binding, the following rules are created on the switch:
<Client IP> - <client port> - Allow
<all else> - <client port> - Deny
This method is convenient because the user can change the MAC as many times as he wants.
Address and access to the network, but when you change your IP - switch it does not
Will miss
5) By its VLAN per user
As such, there is no user binding, just the user is allocated his own VLAN and his own network, and there he lets him do what he wants in it :). Resource-intensive and imho not quite convenient method, but beautiful. Most often used for legal clients
6) Various Web Based and 802.1x bindings - you can not even consider. In this case, the client is identified by the login / password combination and is released to the network based on this data. It differs from the VPN method only in that it is not necessary to raise the VPN tunnel.
7) No binding at all.
There is also such a method and is even used somewhere, but there are no guarantees
that users will interfere with each other and steal the Internet by switching
your IP to your neighbor's IP, although in our age the unlimited is quite affordable for life
Source: https://habr.com/ru/post/62503/
All Articles