MAC/IP/Identity correlation through AAA and DHCP
Ben Jencks
ben at bjencks.net
Sun Sep 13 02:00:40 CEST 2009
On Sep 12, 2009, at 18:21, Alexander Clouter wrote:
> Ben Jencks <ben at bjencks.net> wrote:
>>
> I *strongly* recommend you do not mix user and host authentication
> into
> one which looks like what you are slipping into doing. Computers can
> have multiple users (think of a UNIX box SSHed into), they might
> have an
> administrative entity which is identifiable by the host credentials
> though.
It's 100% laptops, so this isn't really an issue. Whoever logs the
machine into the network is responsible for its actions.
> As for parsing FreeRADIUS 'log' files, I hope you mean you are just
> putting the accounting information into SQL and that's the 'parsing'
> out
> the way. You would be pretty...erm...well crazy to be doing it any
> other way.
That's the parsing, but there's still correlation to do, and possibly
reformatting in ways simple views can't handle.
>> Before I dive into parsing these, has anyone written these
>> scripts already?
>>
> RADIUS accounting into SQL is already readily available in FreeRADIUS,
> DHCP to MAC there is not a great deal out there when I last looked.
>
> Bear in mind that unless you have countermeasures in place that
> prevent:
> * ARP spoofing
> * MAC spoofing[1]
> * DHCP spoofing
> * IP spoofing
>
> Doing what you want is kinda useless. I'm guessing you want to do
> MAC->IP correleration for audit and LART deployment, you need to be
> 100%
> sure the data you are looking at is not faked in any way as the last
> thing you want to do is 'harm' the wrong person.
DHCP snooping should take care of most of these, and as you mention
802.1x makes MAC spoofing pointless.
If this is an uncommon use case, is there a better way I'm missing to
accomplish the same thing? That is, I need to be able to take an abuse
report with just an IP and a time in it, and notify/take action on a
particular user. Since authentication happens before an IP is
assigned, the best way I could think of to associate an IP is to ask
the DHCP server.
> Whatever your solution is, bear in mind that at some stage you will
> need
> to have your system handle:
> * IPv6 addresses
Probably will wait until there's vendor support for DHCPv6 snooping.
> * multiple IP addresses on the same host simulateously
> * IP addresses varying during the same session
Doesn't really matter, as long as there's a timestamped record of each.
Thanks for your input.
--
Ben Jencks
More information about the Freeradius-Users
mailing list