MAC/IP/Identity correlation through AAA and DHCP

[Alexander Clouter]

Hi,

I think we are arguing for the same thing here :)

Alan DeKok <aland at deployingradius.com> wrote:
>
> Alexander Clouter wrote:
>> That's the thing, after thinking long and hard about the consequences, 
>> treating a connecting machine differently (for example different VLAN) 
>> depending on the person using the workstations is a serious fxhyyshpx if 
>> you think in terms of "gets p0wned by previous user, then an 
>> 'administrator' logs in".
> 
>  That isn't the use-case.  The use case is "a machine with IP X is
> breaking the network... who do I blame?"
> 
>  If you can narrow it down to "the only person using that machine in
> the past day was user Y", you know who to yell at.
> 
Yes but using *user* credentials for the 802.1X dance does not help you 
here. 

>> A workstation should be either on the network or not on the network (not 
>> being some isolated 'guest'/'quarantine' network).
> 
>  How does it fix itself, then, if it's virus DB isn't up to date?
>
'guest'/'quarantine' subnet always has a list of places people can get 
to.  When I create such a pool I use a combination of:
 * DNS hijacking
 * web redirect
 * HTTP/FTP proxies (the one case I do use a transparent proxy)
 
>>  It has been this (and the multiple IP address bit) that has stopped 
>> me ever using vendor NAS extensions that tell you what IP is being 
>> used by the connecting host...sure that might be what it is using 
>> now, what about two days later on.
> 
>  Integrate DHCP logs with RADIUS via SQL.
> 
Complete agree, however if you look at the other sub-thread I was just 
putting in a warning note for DIYers to consider multiple IP's, changing 
IP's and IPv6 etc etc.  As I mentioned there, I have seen people take 
the RADIUS accounting 'workstation IP is...' as gospel in the past.

Cheers

-- 
Alexander Clouter
.sigmonster says: Your goose is cooked.
                  (Your current chick is burned up too!)