MAC/IP/Identity correlation through AAA and DHCP

Alan DeKok aland at deployingradius.com
Mon Sep 14 09:02:36 CEST 2009


Alexander Clouter wrote:
> That's the thing, after thinking long and hard about the consequences, 
> treating a connecting machine differently (for example different VLAN) 
> depending on the person using the workstations is a serious fxhyyshpx if 
> you think in terms of "gets p0wned by previous user, then an 
> 'administrator' logs in".

  That isn't the use-case.  The use case is "a machine with IP X is
breaking the network... who do I blame?"

  If you can narrow it down to "the only person using that machine in
the past day was user Y", you know who to yell at.

> A workstation should be either on the network or not on the network (not 
> being some isolated 'guest'/'quarantine' network).

  How does it fix itself, then, if it's virus DB isn't up to date?

> During a single workstaion 802.1X connection (accounting start, to 
> accounting end), there is no reason the IP address on the workstation 
> cannot (should is another arguement, then it depends are we talking 
> about IPv4 or IPv6) change whilst it is connected.

  Sure... but you have the MAC + switch port, so you can still track
that IP to the machine / user.

>  It has been this 
> (and the multiple IP address bit) that has stopped me ever using vendor 
> NAS extensions that tell you what IP is being used by the connecting 
> host...sure that might be what it is using now, what about two days 
> later on.

  Integrate DHCP logs with RADIUS via SQL.

  Alan DeKok.



More information about the Freeradius-Users mailing list