Wired 802.1x auth - Getting the IP address of the authed machine
Alexander Clouter
alex at digriz.org.uk
Wed Feb 25 20:26:13 CET 2009
* Paul Dealy <pdealy at gmail.com> [Wed, 25 Feb 2009 21:42:37 +1100]:
>
> I have accounting turned on, but I don't see the authed machines IP on
> that of the NAS.
>
Use DHCP Snooping[1] and then yank the DHCP servers logs. If you want
them in the SQL table, you should add them afterwards. You need to bear
in mind that in the medium-long term there will be nothing stopping (or
invalid) about computers having multiple IP addresses[2]. Expecting a
venduh (especially Cisco) to give you what you want/need is asking for
trouble.
We personally yank from our DHCP logs, because of DHCP snooping, we know
they can be trusted.
Cheers
[1] http://www.cisco.com/web/DK/assets/docs/security2006/Security2006_Eric_Vyncke_2.pdf
[2] IPv4 and IPv6 addresses, multiple of the later for workstations is
an expectation not an edge case. Also there is technically
nothing stopping a workstation in a single 'session' changing IP
addresses
--
Alexander Clouter
.sigmonster says: Go on, EMOTE! I was RAISED on thought balloons!!
More information about the Freeradius-Users
mailing list