MAC/IP/Identity correlation through AAA and DHCP

Alexander Clouter alex at digriz.org.uk
Sun Sep 13 00:21:12 CEST 2009 

Ben Jencks <ben at bjencks.net> wrote:
> 
> First, this is in a wired/wireless WPA2/802.1x environment. I'm trying  
> to create a log of who (real world identity) had what MAC and IP when.  
> The plan is to periodically parse the FreeRADIUS AAA logs (identity to  
> MAC mappings) and DHCP lease files (MAC to IP mappings) and correlate  
> them. 
>
I *strongly* recommend you do not mix user and host authentication into 
one which looks like what you are slipping into doing.  Computers can 
have multiple users (think of a UNIX box SSHed into), they might have an 
administrative entity which is identifiable by the host credentials 
though.

As for parsing FreeRADIUS 'log' files, I hope you mean you are just 
putting the accounting information into SQL and that's the 'parsing' out 
the way.  You would be pretty...erm...well crazy to be doing it any 
other way.

> Before I dive into parsing these, has anyone written these  
> scripts already?
> 
RADIUS accounting into SQL is already readily available in FreeRADIUS, 
DHCP to MAC there is not a great deal out there when I last looked.

Bear in mind that unless you have countermeasures in place that prevent:
 * ARP spoofing
 * MAC spoofing[1]
 * DHCP spoofing
 * IP spoofing

Doing what you want is kinda useless.  I'm guessing you want to do 
MAC->IP correleration for audit and LART deployment, you need to be 100% 
sure the data you are looking at is not faked in any way as the last 
thing you want to do is 'harm' the wrong person.

Whatever your solution is, bear in mind that at some stage you will need 
to have your system handle:
 * IPv6 addresses
 * multiple IP addresses on the same host simulateously
 * IP addresses varying during the same session

Cheers

[1] 802.1X effectively neuters this by making sure only one MAC address 
	appears on a particular port.  In the case of 802.1X I strongly 
	recommend if you use *user* authentication, you use it to 
	*vouch* for the connecting MAC address of the host (so spoofing
	a MAC is completely pointless); this is in place of client side
	certificates in EAP-TLS

-- 
Alexander Clouter
.sigmonster says: Rainy days and Mondays always get me down.

More information about the Freeradius-Users mailing list