MAC/IP/Identity correlation through AAA and DHCP
Hi, First, this is in a wired/wireless WPA2/802.1x environment. I'm trying to create a log of who (real world identity) had what MAC and IP when. The plan is to periodically parse the FreeRADIUS AAA logs (identity to MAC mappings) and DHCP lease files (MAC to IP mappings) and correlate them. Before I dive into parsing these, has anyone written these scripts already? Alternatively, will the FreeRADIUS DHCP server do this without any extra work, and is it mature enough for production? I couldn't find any real documentation on it; just the feature page, and it says it only supports static addresses (I need to oversubscribe the address pool, so I can't do static). Thanks, Ben Jencks
Ben Jencks <ben@bjencks.net> wrote:
First, this is in a wired/wireless WPA2/802.1x environment. I'm trying to create a log of who (real world identity) had what MAC and IP when. The plan is to periodically parse the FreeRADIUS AAA logs (identity to MAC mappings) and DHCP lease files (MAC to IP mappings) and correlate them.
I *strongly* recommend you do not mix user and host authentication into one which looks like what you are slipping into doing. Computers can have multiple users (think of a UNIX box SSHed into), they might have an administrative entity which is identifiable by the host credentials though. As for parsing FreeRADIUS 'log' files, I hope you mean you are just putting the accounting information into SQL and that's the 'parsing' out the way. You would be pretty...erm...well crazy to be doing it any other way.
Before I dive into parsing these, has anyone written these scripts already?
RADIUS accounting into SQL is already readily available in FreeRADIUS, DHCP to MAC there is not a great deal out there when I last looked. Bear in mind that unless you have countermeasures in place that prevent: * ARP spoofing * MAC spoofing[1] * DHCP spoofing * IP spoofing Doing what you want is kinda useless. I'm guessing you want to do MAC->IP correleration for audit and LART deployment, you need to be 100% sure the data you are looking at is not faked in any way as the last thing you want to do is 'harm' the wrong person. Whatever your solution is, bear in mind that at some stage you will need to have your system handle: * IPv6 addresses * multiple IP addresses on the same host simulateously * IP addresses varying during the same session Cheers [1] 802.1X effectively neuters this by making sure only one MAC address appears on a particular port. In the case of 802.1X I strongly recommend if you use *user* authentication, you use it to *vouch* for the connecting MAC address of the host (so spoofing a MAC is completely pointless); this is in place of client side certificates in EAP-TLS -- Alexander Clouter .sigmonster says: Rainy days and Mondays always get me down.
On Sep 12, 2009, at 18:21, Alexander Clouter wrote:
Ben Jencks <ben@bjencks.net> wrote:
I *strongly* recommend you do not mix user and host authentication into one which looks like what you are slipping into doing. Computers can have multiple users (think of a UNIX box SSHed into), they might have an administrative entity which is identifiable by the host credentials though.
It's 100% laptops, so this isn't really an issue. Whoever logs the machine into the network is responsible for its actions.
As for parsing FreeRADIUS 'log' files, I hope you mean you are just putting the accounting information into SQL and that's the 'parsing' out the way. You would be pretty...erm...well crazy to be doing it any other way.
That's the parsing, but there's still correlation to do, and possibly reformatting in ways simple views can't handle.
Before I dive into parsing these, has anyone written these scripts already?
RADIUS accounting into SQL is already readily available in FreeRADIUS, DHCP to MAC there is not a great deal out there when I last looked.
Bear in mind that unless you have countermeasures in place that prevent: * ARP spoofing * MAC spoofing[1] * DHCP spoofing * IP spoofing
Doing what you want is kinda useless. I'm guessing you want to do MAC->IP correleration for audit and LART deployment, you need to be 100% sure the data you are looking at is not faked in any way as the last thing you want to do is 'harm' the wrong person.
DHCP snooping should take care of most of these, and as you mention 802.1x makes MAC spoofing pointless. If this is an uncommon use case, is there a better way I'm missing to accomplish the same thing? That is, I need to be able to take an abuse report with just an IP and a time in it, and notify/take action on a particular user. Since authentication happens before an IP is assigned, the best way I could think of to associate an IP is to ask the DHCP server.
Whatever your solution is, bear in mind that at some stage you will need to have your system handle: * IPv6 addresses
Probably will wait until there's vendor support for DHCPv6 snooping.
* multiple IP addresses on the same host simulateously * IP addresses varying during the same session
Doesn't really matter, as long as there's a timestamped record of each. Thanks for your input. -- Ben Jencks
Ben Jencks <ben@bjencks.net> wrote:
On Sep 12, 2009, at 18:21, Alexander Clouter wrote:
Ben Jencks <ben@bjencks.net> wrote:
I *strongly* recommend you do not mix user and host authentication into one which looks like what you are slipping into doing. Computers can have multiple users (think of a UNIX box SSHed into), they might have an administrative entity which is identifiable by the host credentials though.
It's 100% laptops, so this isn't really an issue. Whoever logs the machine into the network is responsible for its actions.
At my work place the organisation (helldesk) provisions the staff with laptops but they are not the users of the laptop. Blaming the user for an infection/abuse@ attack is futile...can you say your userbase is Clued(tm) enough to comprehend or care what they have done? :) You want to track down the party responsible for the workstation (and where the workstation actually lives), the *host* authentication, the user authentication is something that happens when they access resources such as file shares and email.
As for parsing FreeRADIUS 'log' files, I hope you mean you are just putting the accounting information into SQL and that's the 'parsing' out the way. You would be pretty...erm...well crazy to be doing it any other way.
That's the parsing, but there's still correlation to do, and possibly reformatting in ways simple views can't handle.
Not questioning you, only curious what you want to do with the data; incase I can do more stuff with our data than we currently do :)
Doing what you want is kinda useless. I'm guessing you want to do MAC->IP correleration for audit and LART deployment, you need to be 100% sure the data you are looking at is not faked in any way as the last thing you want to do is 'harm' the wrong person.
DHCP snooping should take care of most of these, and as you mention 802.1x makes MAC spoofing pointless.
If this is an uncommon use case, is there a better way I'm missing to accomplish the same thing? That is, I need to be able to take an abuse report with just an IP and a time in it, and notify/take action on a particular user. Since authentication happens before an IP is assigned, the best way I could think of to associate an IP is to ask the DHCP server.
As you already have the typical spoofing attacks covered then you can trust your DHCP logs. Use your RADIUS 802.1X logs to act as a validator to make sure your DHCP logs look sane. Some people find the (*cough* ISC *cough*) DHCP server so inflexible they bite the bullet and poll the ARP tables of their routers switches. This usually comes about when you start writing code to parse the dhcpd.leases files and then find your self wanting to scoop your eyes out with a rusty blunt spoon...of course the disadvantage with polling is it is not event driven and you might miss a DHCP Offer->Release cycle.
Whatever your solution is, bear in mind that at some stage you will need to have your system handle: * IPv6 addresses
Probably will wait until there's vendor support for DHCPv6 snooping.
I only mentioned it as it looks like you might be forced to roll your own.
* multiple IP addresses on the same host simulateously * IP addresses varying during the same session
Doesn't really matter, as long as there's a timestamped record of each.
Again, only mentioned for hints on the DIY approach, some people I know are already simply just relying on vendor extensions to RADIUS accounting packets that tell the RADIUS server the IP address the client is using. They then take this as gospel and ignore things like lease renewal and whatnot. Cheers -- Alexander Clouter .sigmonster says: What happens when you cut back the jungle? It recedes.
Alexander Clouter wrote:
I *strongly* recommend you do not mix user and host authentication into one which looks like what you are slipping into doing. Computers can have multiple users (think of a UNIX box SSHed into), they might have an administrative entity which is identifiable by the host credentials though.
There is a strong push in many companies to "know" who is on a machine. Since the majority of desktops are still Windows, the odds of *multiple* people using one at the same time is relatively low.
RADIUS accounting into SQL is already readily available in FreeRADIUS, DHCP to MAC there is not a great deal out there when I last looked.
I really need to finish the DHCP + SQL integration in the server. Sadly, other things take priority.
Bear in mind that unless you have countermeasures in place that prevent: * ARP spoofing * MAC spoofing[1] * DHCP spoofing * IP spoofing
Doing what you want is kinda useless. I'm guessing you want to do MAC->IP correleration for audit and LART deployment, you need to be 100% sure the data you are looking at is not faked in any way as the last thing you want to do is 'harm' the wrong person.
802.1X gives you MAC strongly tied to a user. It also usually gives you the switch IP and port. You can look at DHCP options to ensure that the same MAC is on the same switch / port. The switch can do DHCP snooping to prevent other IP's from being used on the same port. The result is pretty good. ARP spoof detection will help, but that's just part of ongoing network monitoring.
Whatever your solution is, bear in mind that at some stage you will need to have your system handle: * IPv6 addresses * multiple IP addresses on the same host simulateously
WiFi, wired, etc. How do you tell it's the same host, if the MAC is different on each interface?
* IP addresses varying during the same session
What 'session'? User login? Alan DeKok.
Alan DeKok <aland@deployingradius.com> wrote:
Alexander Clouter wrote:
I *strongly* recommend you do not mix user and host authentication into one which looks like what you are slipping into doing. Computers can have multiple users (think of a UNIX box SSHed into), they might have an administrative entity which is identifiable by the host credentials though.
There is a strong push in many companies to "know" who is on a machine. Since the majority of desktops are still Windows, the odds of *multiple* people using one at the same time is relatively low.
That's the thing, after thinking long and hard about the consequences, treating a connecting machine differently (for example different VLAN) depending on the person using the workstations is a serious fxhyyshpx if you think in terms of "gets p0wned by previous user, then an 'administrator' logs in". A workstation should be either on the network or not on the network (not being some isolated 'guest'/'quarantine' network). User authentication is something that is best left higher up the stack, say at TCP/UDP (layer 4)...and unsurprisingly that's exactly what Windows Networking, Novell do, Google, etc do. The user gets a login box to use to authentication them to a *service*, not to the network. I know here I'm preaching to the choir, this one is for the archives :)
RADIUS accounting into SQL is already readily available in FreeRADIUS, DHCP to MAC there is not a great deal out there when I last looked.
I really need to finish the DHCP + SQL integration in the server. Sadly, other things take priority.
Well, to me FreeRADIUS is unsurprisingly a RADIUS server first and a kitchen sink secondly :)
Bear in mind that unless you have countermeasures in place that prevent: * ARP spoofing * MAC spoofing[1] * DHCP spoofing * IP spoofing
Doing what you want is kinda useless. I'm guessing you want to do MAC->IP correleration for audit and LART deployment, you need to be 100% sure the data you are looking at is not faked in any way as the last thing you want to do is 'harm' the wrong person.
802.1X gives you MAC strongly tied to a user. It also usually gives you the switch IP and port. You can look at DHCP options to ensure that the same MAC is on the same switch / port. The switch can do DHCP snooping to prevent other IP's from being used on the same port.
The result is pretty good. ARP spoof detection will help, but that's just part of ongoing network monitoring.
Exactly what we do, the only *good* presentation to come out of Cisco that I stumbled on which was not simply blowing their own trumpet or trying to sell little black boxes with the word 'security' on the side: http://www.cisco.com/web/DK/assets/docs/security2006/Security2006_Eric_Vynck...
Whatever your solution is, bear in mind that at some stage you will need to have your system handle: * IPv6 addresses * multiple IP addresses on the same host simulateously
WiFi, wired, etc. How do you tell it's the same host, if the MAC is different on each interface?
Who cares, you associate the MAC address with the *administrator* of the workstation. When you can spoof a MAC someone can have effectively thousands of MAC addresses...then you consider pains of VM bridges[1] there are legit reasons for random MACs appearing at the edge.
* IP addresses varying during the same session
What 'session'? User login?
During a single workstaion 802.1X connection (accounting start, to accounting end), there is no reason the IP address on the workstation cannot (should is another arguement, then it depends are we talking about IPv4 or IPv6) change whilst it is connected. It has been this (and the multiple IP address bit) that has stopped me ever using vendor NAS extensions that tell you what IP is being used by the connecting host...sure that might be what it is using now, what about two days later on. Cheers [1] we simply reject multiple MAC's per port, as if you need to use a VM in bridging mode you are obviously trying to provision a service which means that box should be in a server room -- Alexander Clouter .sigmonster says: Is something VIOLENT going to happen to a GARBAGE CAN?
Alexander Clouter wrote:
That's the thing, after thinking long and hard about the consequences, treating a connecting machine differently (for example different VLAN) depending on the person using the workstations is a serious fxhyyshpx if you think in terms of "gets p0wned by previous user, then an 'administrator' logs in".
That isn't the use-case. The use case is "a machine with IP X is breaking the network... who do I blame?" If you can narrow it down to "the only person using that machine in the past day was user Y", you know who to yell at.
A workstation should be either on the network or not on the network (not being some isolated 'guest'/'quarantine' network).
How does it fix itself, then, if it's virus DB isn't up to date?
During a single workstaion 802.1X connection (accounting start, to accounting end), there is no reason the IP address on the workstation cannot (should is another arguement, then it depends are we talking about IPv4 or IPv6) change whilst it is connected.
Sure... but you have the MAC + switch port, so you can still track that IP to the machine / user.
It has been this (and the multiple IP address bit) that has stopped me ever using vendor NAS extensions that tell you what IP is being used by the connecting host...sure that might be what it is using now, what about two days later on.
Integrate DHCP logs with RADIUS via SQL. Alan DeKok.
Hi, I think we are arguing for the same thing here :) Alan DeKok <aland@deployingradius.com> wrote:
Alexander Clouter wrote:
That's the thing, after thinking long and hard about the consequences, treating a connecting machine differently (for example different VLAN) depending on the person using the workstations is a serious fxhyyshpx if you think in terms of "gets p0wned by previous user, then an 'administrator' logs in".
That isn't the use-case. The use case is "a machine with IP X is breaking the network... who do I blame?"
If you can narrow it down to "the only person using that machine in the past day was user Y", you know who to yell at.
Yes but using *user* credentials for the 802.1X dance does not help you here.
A workstation should be either on the network or not on the network (not being some isolated 'guest'/'quarantine' network).
How does it fix itself, then, if it's virus DB isn't up to date?
'guest'/'quarantine' subnet always has a list of places people can get to. When I create such a pool I use a combination of: * DNS hijacking * web redirect * HTTP/FTP proxies (the one case I do use a transparent proxy)
It has been this (and the multiple IP address bit) that has stopped me ever using vendor NAS extensions that tell you what IP is being used by the connecting host...sure that might be what it is using now, what about two days later on.
Integrate DHCP logs with RADIUS via SQL.
Complete agree, however if you look at the other sub-thread I was just putting in a warning note for DIYers to consider multiple IP's, changing IP's and IPv6 etc etc. As I mentioned there, I have seen people take the RADIUS accounting 'workstation IP is...' as gospel in the past. Cheers -- Alexander Clouter .sigmonster says: Your goose is cooked. (Your current chick is burned up too!)
participants (3)
-
Alan DeKok -
Alexander Clouter -
Ben Jencks