MAC/IP/Identity correlation through AAA and DHCP

Alan DeKok aland at deployingradius.com
Sun Sep 13 09:12:18 CEST 2009


Alexander Clouter wrote:
> I *strongly* recommend you do not mix user and host authentication into 
> one which looks like what you are slipping into doing.  Computers can 
> have multiple users (think of a UNIX box SSHed into), they might have an 
> administrative entity which is identifiable by the host credentials 
> though.

  There is a strong push in many companies to "know" who is on a
machine.  Since the majority of desktops are still Windows, the odds of
*multiple* people using one at the same time is relatively low.

> RADIUS accounting into SQL is already readily available in FreeRADIUS, 
> DHCP to MAC there is not a great deal out there when I last looked.

  I really need to finish the DHCP + SQL integration in the server.
Sadly, other things take priority.

> Bear in mind that unless you have countermeasures in place that prevent:
>  * ARP spoofing
>  * MAC spoofing[1]
>  * DHCP spoofing
>  * IP spoofing
> 
> Doing what you want is kinda useless.  I'm guessing you want to do 
> MAC->IP correleration for audit and LART deployment, you need to be 100% 
> sure the data you are looking at is not faked in any way as the last 
> thing you want to do is 'harm' the wrong person.

  802.1X gives you MAC strongly tied to a user.  It also usually gives
you the switch IP and port.  You can look at DHCP options to ensure that
the same MAC is on the same switch / port.  The switch can do DHCP
snooping to prevent other IP's from being used on the same port.

  The result is pretty good.  ARP spoof detection will help, but that's
just part of ongoing network monitoring.

> Whatever your solution is, bear in mind that at some stage you will need 
> to have your system handle:
>  * IPv6 addresses
>  * multiple IP addresses on the same host simulateously

  WiFi, wired, etc.  How do you tell it's the same host, if the MAC is
different on each interface?

>  * IP addresses varying during the same session

  What 'session'?  User login?

  Alan DeKok.



More information about the Freeradius-Users mailing list