Wired 802.1x auth - Getting the IP address of the authed machine

Alexander Clouter alex at digriz.org.uk
Wed Feb 25 20:26:13 CET 2009


* Paul Dealy <pdealy at gmail.com> [Wed, 25 Feb 2009 21:42:37 +1100]:
>
> I have accounting turned on, but I don't see the authed machines IP on
> that of the NAS.
>
Use DHCP Snooping[1] and then yank the DHCP servers logs.  If you want 
them in the SQL table, you should add them afterwards.  You need to bear 
in mind that in the medium-long term there will be nothing stopping (or 
invalid) about computers having multiple IP addresses[2].  Expecting a 
venduh (especially Cisco) to give you what you want/need is asking for 
trouble.

We personally yank from our DHCP logs, because of DHCP snooping, we know 
they can be trusted.

Cheers

[1] http://www.cisco.com/web/DK/assets/docs/security2006/Security2006_Eric_Vyncke_2.pdf
[2] IPv4 and IPv6 addresses, multiple of the later for workstations is 
	an expectation not an edge case.  Also there is technically 
	nothing stopping a workstation in a single 'session' changing IP 
	addresses

-- 
Alexander Clouter
.sigmonster says: Go on, EMOTE!  I was RAISED on thought balloons!!




More information about the Freeradius-Users mailing list