A
system and method prevent unauthorized users and devices, in a dynamic user / device environment, from obtaining access to shared-medium public and semi-public IP networks. A network includes a layered communication
system and routers / switches for
coupling users and devices to a Dynamic Host Control Protocol (DHCP)
server and an
authentication server. Databases support the servers. The network incorporates
Address Resolution Protocol (ARP). Authorized users and devices register for service by providing the DHCP with user identification for log-in, passwords, MAC addresses, etc. When users connect to the
network access point, a DHCP exchange is initiated to obtain a valid
IP address and other associated parameters. The DHCP
client initiates a MAC broadcast for IP addresses which contain in the request the
end user's device
MAC address. The associated
router switch will pick up and forward to a DHCP
server the
end user's device request. The DHCP server will process the
end user's request and extract the end user's device
MAC address. With the end user's
MAC address, the DHCP server accesses its device and / or
user information in the
database. If the MAC address is not registered, the DHCP server refuses to
handle the request and logs the attempt, potentially alerting network operators of a security breach. If the MAC address is registered, a DHCP server selects an appropriate
IP address and associated parameters to be returned to the requesting end user and connects via
programming or command interface to the
router switch that is forwarding the DHCP request on behalf of the end
user device. The server adds an ARP IP to the MAC address table entry with the selected
IP address and end user's MAC address.
End user device
authentication and IP lease are marked as provisional. A
timer is started for a suggested duration. Optionally, the DHCP dynamically sets up filter rules in the
router switch limiting access to a subset of IP addresses such as the address of a log-in server. Initial DHCP
processing is completed and an IP address is assigned to the requesting end user's device by DHCP. When the
timer expires, if the DHCP server finds the authenticating
user state is provisional, it will revoke the IP lease, invalidate the corresponding ARP to MAC table entry in the associated router switch, and reset any IP-permissive filtering for that device. If the user is in the full authenticated state, it will simply remove the restrictive filtering.