Re: MAC/IP/Identity correlation through AAA and DHCP

Sat, 12 Sep 2009 17:05:55 -0700 

On Sep 12, 2009, at 18:21, Alexander Clouter wrote:


Ben Jencks <[email protected]> wrote:



I *strongly* recommend you do not mix user and host authentication  
into

one which looks like what you are slipping into doing.  Computers can

have multiple users (think of a UNIX box SSHed into), they might  
have an

administrative entity which is identifiable by the host credentials
though.



It's 100% laptops, so this isn't really an issue. Whoever logs the  
machine into the network is responsible for its actions.



As for parsing FreeRADIUS 'log' files, I hope you mean you are just

putting the accounting information into SQL and that's the 'parsing'  
out

the way.  You would be pretty...erm...well crazy to be doing it any
other way.



That's the parsing, but there's still correlation to do, and possibly  
reformatting in ways simple views can't handle.



Before I dive into parsing these, has anyone written these
scripts already?


RADIUS accounting into SQL is already readily available in FreeRADIUS,
DHCP to MAC there is not a great deal out there when I last looked.


Bear in mind that unless you have countermeasures in place that  
prevent:

* ARP spoofing
* MAC spoofing[1]
* DHCP spoofing
* IP spoofing

Doing what you want is kinda useless.  I'm guessing you want to do

MAC->IP correleration for audit and LART deployment, you need to be  
100%

sure the data you are looking at is not faked in any way as the last
thing you want to do is 'harm' the wrong person.



DHCP snooping should take care of most of these, and as you mention  
802.1x makes MAC spoofing pointless.



If this is an uncommon use case, is there a better way I'm missing to  
accomplish the same thing? That is, I need to be able to take an abuse  
report with just an IP and a time in it, and notify/take action on a  
particular user. Since authentication happens before an IP is  
assigned, the best way I could think of to associate an IP is to ask  
the DHCP server.



Whatever your solution is, bear in mind that at some stage you will  
need

to have your system handle:
* IPv6 addresses


Probably will wait until there's vendor support for DHCPv6 snooping.


* multiple IP addresses on the same host simulateously
* IP addresses varying during the same session


Doesn't really matter, as long as there's a timestamped record of each.

Thanks for your input.
--
Ben Jencks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to