Alexander Clouter wrote: > That's the thing, after thinking long and hard about the consequences, > treating a connecting machine differently (for example different VLAN) > depending on the person using the workstations is a serious fxhyyshpx if > you think in terms of "gets p0wned by previous user, then an > 'administrator' logs in".
That isn't the use-case. The use case is "a machine with IP X is breaking the network... who do I blame?" If you can narrow it down to "the only person using that machine in the past day was user Y", you know who to yell at. > A workstation should be either on the network or not on the network (not > being some isolated 'guest'/'quarantine' network). How does it fix itself, then, if it's virus DB isn't up to date? > During a single workstaion 802.1X connection (accounting start, to > accounting end), there is no reason the IP address on the workstation > cannot (should is another arguement, then it depends are we talking > about IPv4 or IPv6) change whilst it is connected. Sure... but you have the MAC + switch port, so you can still track that IP to the machine / user. > It has been this > (and the multiple IP address bit) that has stopped me ever using vendor > NAS extensions that tell you what IP is being used by the connecting > host...sure that might be what it is using now, what about two days > later on. Integrate DHCP logs with RADIUS via SQL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
