Public Port Authentication
User authentication for public-access switch ports
The FireRack Management Server (FMS) has the facility to authenticate and grant temporary rights to users of public-access switch ports.
How the users are authenticated is entirely at the discretion of the network administrator.
When a user plugs their laptop into a public port, the FireRack appliance issues it an IP address by DHCP. This IP address has severely restricted rights (controlled by the network admin). When the user attempts to visit a web site (any web site) they are redirected to the SSL encrypted FireRack login page on the FMS. If they authenticate successfully, their IP address is then added to a "Dynamic Group" [1]. A different set of firewall rules (usually less restrictive) are applied to this group of users.
Immediately upon authentication, the FMS logs both the IP address and MAC address of the user's computer. The FireRack appliance also notes the MAC address to ensure packets from each IP address in the dynamic group are coming from the authorised MAC address.
In order to determine when a user has disconnected, the FireRack appliance monitors the users machine. A directed arp request is sent to the machine at regular (user defined) intervals. After a specified number of failures to respond to these probes, the FireRack appliance removes this IP address from the Dynamic Group.
Additional Notes
This same method can be used for authenticating wireless users. They too have MAC addresses that can be recorded and monitored.
[1] A Dynamic Group is an IP addresses list that is populated dynamically by the FireRack appliance and/or the FMS. Firewall rules can be written to apply only to members of a specific dynamic group. IP addresses can be dynamically added to a dynamic group by firewall rule, or via the XML API of the FireRack Appliance.