MAC/IP/Identity correlation through AAA and DHCP

[Alexander Clouter]

Ben Jencks <ben at bjencks.net> wrote:
>
> On Sep 12, 2009, at 18:21, Alexander Clouter wrote:
> 
>> Ben Jencks <ben at bjencks.net> wrote:
>>>
>> I *strongly* recommend you do not mix user and host authentication 
>> into one which looks like what you are slipping into doing.  
>> Computers can have multiple users (think of a UNIX box SSHed into), 
>> they might have an administrative entity which is identifiable by the 
>> host credentials though.
> 
> It's 100% laptops, so this isn't really an issue. Whoever logs the  
> machine into the network is responsible for its actions.
>
At my work place the organisation (helldesk) provisions the staff with 
laptops but they are not the users of the laptop.  Blaming the user for 
an infection/abuse@ attack is futile...can you say your userbase is 
Clued(tm) enough to comprehend or care what they have done? :)

You want to track down the party responsible for the workstation (and 
where the workstation actually lives), the *host* authentication, the 
user authentication is something that happens when they access resources 
such as file shares and email.
 
>> As for parsing FreeRADIUS 'log' files, I hope you mean you are just 
>> putting the accounting information into SQL and that's the 'parsing' 
>> out the way.  You would be pretty...erm...well crazy to be doing it 
>> any other way.
> 
> That's the parsing, but there's still correlation to do, and possibly  
> reformatting in ways simple views can't handle.
>
Not questioning you, only curious what you want to do with the data; 
incase I can do more stuff with our data than we currently do :)
 
>> Doing what you want is kinda useless.  I'm guessing you want to do 
>> MAC->IP correleration for audit and LART deployment, you need to be 
>> 100% sure the data you are looking at is not faked in any way as the 
>> last thing you want to do is 'harm' the wrong person.
> 
> DHCP snooping should take care of most of these, and as you mention  
> 802.1x makes MAC spoofing pointless.
> 
> If this is an uncommon use case, is there a better way I'm missing to 
> accomplish the same thing? That is, I need to be able to take an abuse 
> report with just an IP and a time in it, and notify/take action on a 
> particular user. Since authentication happens before an IP is 
> assigned, the best way I could think of to associate an IP is to ask 
> the DHCP server.
>
As you already have the typical spoofing attacks covered then you can 
trust your DHCP logs.  Use your RADIUS 802.1X logs to act as a validator 
to make sure your DHCP logs look sane.

Some people find the (*cough* ISC *cough*) DHCP server so inflexible 
they bite the bullet and poll the ARP tables of their routers switches.  
This usually comes about when you start writing code to parse the 
dhcpd.leases files and then find your self wanting to scoop your eyes 
out with a rusty blunt spoon...of course the disadvantage with polling 
is it is not event driven and you might miss a DHCP Offer->Release 
cycle.
 
>> Whatever your solution is, bear in mind that at some stage you will  
>> need to have your system handle:
>> * IPv6 addresses
> 
> Probably will wait until there's vendor support for DHCPv6 snooping.
> 
I only mentioned it as it looks like you might be forced to roll your 
own.

>> * multiple IP addresses on the same host simulateously
>> * IP addresses varying during the same session
> 
> Doesn't really matter, as long as there's a timestamped record of each.
> 
Again, only mentioned for hints on the DIY approach, some people I know 
are already simply just relying on vendor extensions to RADIUS 
accounting packets that tell the RADIUS server the IP address the client 
is using.  They then take this as gospel and ignore things like lease 
renewal and whatnot.

Cheers

-- 
Alexander Clouter
.sigmonster says: What happens when you cut back the jungle?  It recedes.