MAC/IP/Identity correlation through AAA and DHCP

Alexander Clouter alex at digriz.org.uk
Sun Sep 13 12:28:18 CEST 2009


Alan DeKok <aland at deployingradius.com> wrote:
>
> Alexander Clouter wrote:
>
>> I *strongly* recommend you do not mix user and host authentication into 
>> one which looks like what you are slipping into doing.  Computers can 
>> have multiple users (think of a UNIX box SSHed into), they might have an 
>> administrative entity which is identifiable by the host credentials 
>> though.
> 
> There is a strong push in many companies to "know" who is on a 
> machine.  Since the majority of desktops are still Windows, the odds 
> of *multiple* people using one at the same time is relatively low.
> 
That's the thing, after thinking long and hard about the consequences, 
treating a connecting machine differently (for example different VLAN) 
depending on the person using the workstations is a serious fxhyyshpx if 
you think in terms of "gets p0wned by previous user, then an 
'administrator' logs in".

A workstation should be either on the network or not on the network (not 
being some isolated 'guest'/'quarantine' network).

User authentication is something that is best left higher up the stack, 
say at TCP/UDP (layer 4)...and unsurprisingly that's exactly what 
Windows Networking, Novell do, Google, etc do.  The user gets a login 
box to use to authentication them to a *service*, not to the network.

I know here I'm preaching to the choir, this one is for the archives :)

>> RADIUS accounting into SQL is already readily available in FreeRADIUS, 
>> DHCP to MAC there is not a great deal out there when I last looked.
> 
>  I really need to finish the DHCP + SQL integration in the server.
> Sadly, other things take priority.
>
Well, to me FreeRADIUS is unsurprisingly a RADIUS server first and a 
kitchen sink secondly :)
 
>> Bear in mind that unless you have countermeasures in place that prevent:
>>  * ARP spoofing
>>  * MAC spoofing[1]
>>  * DHCP spoofing
>>  * IP spoofing
>> 
>> Doing what you want is kinda useless.  I'm guessing you want to do 
>> MAC->IP correleration for audit and LART deployment, you need to be 100% 
>> sure the data you are looking at is not faked in any way as the last 
>> thing you want to do is 'harm' the wrong person.
> 
>  802.1X gives you MAC strongly tied to a user.  It also usually gives
> you the switch IP and port.  You can look at DHCP options to ensure that
> the same MAC is on the same switch / port.  The switch can do DHCP
> snooping to prevent other IP's from being used on the same port.
> 
>  The result is pretty good.  ARP spoof detection will help, but that's
> just part of ongoing network monitoring.
>
Exactly what we do, the only *good* presentation to come out of Cisco 
that I stumbled on which was not simply blowing their own trumpet or 
trying to sell little black boxes with the word 'security' on the side:

http://www.cisco.com/web/DK/assets/docs/security2006/Security2006_Eric_Vyncke_2.pdf

>> Whatever your solution is, bear in mind that at some stage you will need 
>> to have your system handle:
>>  * IPv6 addresses
>>  * multiple IP addresses on the same host simulateously
> 
>  WiFi, wired, etc.  How do you tell it's the same host, if the MAC is
> different on each interface?
> 
Who cares, you associate the MAC address with the *administrator* of the 
workstation.  When you can spoof a MAC someone can have effectively 
thousands of MAC addresses...then you consider pains of VM bridges[1] 
there are legit reasons for random MACs appearing at the edge.

>>  * IP addresses varying during the same session
> 
>  What 'session'?  User login?
> 
During a single workstaion 802.1X connection (accounting start, to 
accounting end), there is no reason the IP address on the workstation 
cannot (should is another arguement, then it depends are we talking 
about IPv4 or IPv6) change whilst it is connected.  It has been this 
(and the multiple IP address bit) that has stopped me ever using vendor 
NAS extensions that tell you what IP is being used by the connecting 
host...sure that might be what it is using now, what about two days 
later on.

Cheers

[1] we simply reject multiple MAC's per port, as if you need to use a VM 
	in bridging mode you are obviously trying to provision a service 
	which means that box should be in a server room

-- 
Alexander Clouter
.sigmonster says: Is something VIOLENT going to happen to a GARBAGE CAN?




More information about the Freeradius-Users mailing list