Hi, I think we are arguing for the same thing here :)
Alan DeKok <[email protected]> wrote: > > Alexander Clouter wrote: >> That's the thing, after thinking long and hard about the consequences, >> treating a connecting machine differently (for example different VLAN) >> depending on the person using the workstations is a serious fxhyyshpx if >> you think in terms of "gets p0wned by previous user, then an >> 'administrator' logs in". > > That isn't the use-case. The use case is "a machine with IP X is > breaking the network... who do I blame?" > > If you can narrow it down to "the only person using that machine in > the past day was user Y", you know who to yell at. > Yes but using *user* credentials for the 802.1X dance does not help you here. >> A workstation should be either on the network or not on the network (not >> being some isolated 'guest'/'quarantine' network). > > How does it fix itself, then, if it's virus DB isn't up to date? > 'guest'/'quarantine' subnet always has a list of places people can get to. When I create such a pool I use a combination of: * DNS hijacking * web redirect * HTTP/FTP proxies (the one case I do use a transparent proxy) >> It has been this (and the multiple IP address bit) that has stopped >> me ever using vendor NAS extensions that tell you what IP is being >> used by the connecting host...sure that might be what it is using >> now, what about two days later on. > > Integrate DHCP logs with RADIUS via SQL. > Complete agree, however if you look at the other sub-thread I was just putting in a warning note for DIYers to consider multiple IP's, changing IP's and IPv6 etc etc. As I mentioned there, I have seen people take the RADIUS accounting 'workstation IP is...' as gospel in the past. Cheers -- Alexander Clouter .sigmonster says: Your goose is cooked. (Your current chick is burned up too!) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
