Hi, I think we are arguing for the same thing here :) Alan DeKok <aland@deployingradius.com> wrote:
Alexander Clouter wrote:
That's the thing, after thinking long and hard about the consequences, treating a connecting machine differently (for example different VLAN) depending on the person using the workstations is a serious fxhyyshpx if you think in terms of "gets p0wned by previous user, then an 'administrator' logs in".
That isn't the use-case. The use case is "a machine with IP X is breaking the network... who do I blame?"
If you can narrow it down to "the only person using that machine in the past day was user Y", you know who to yell at.
Yes but using *user* credentials for the 802.1X dance does not help you here.
A workstation should be either on the network or not on the network (not being some isolated 'guest'/'quarantine' network).
How does it fix itself, then, if it's virus DB isn't up to date?
'guest'/'quarantine' subnet always has a list of places people can get to. When I create such a pool I use a combination of: * DNS hijacking * web redirect * HTTP/FTP proxies (the one case I do use a transparent proxy)
It has been this (and the multiple IP address bit) that has stopped me ever using vendor NAS extensions that tell you what IP is being used by the connecting host...sure that might be what it is using now, what about two days later on.
Integrate DHCP logs with RADIUS via SQL.
Complete agree, however if you look at the other sub-thread I was just putting in a warning note for DIYers to consider multiple IP's, changing IP's and IPv6 etc etc. As I mentioned there, I have seen people take the RADIUS accounting 'workstation IP is...' as gospel in the past. Cheers -- Alexander Clouter .sigmonster says: Your goose is cooked. (Your current chick is burned up too!)