MAC/IP/Identity correlation through AAA and DHCP
alex at digriz.org.uk
Sun Sep 13 12:38:48 CEST 2009
Ben Jencks <ben at bjencks.net> wrote:
> On Sep 12, 2009, at 18:21, Alexander Clouter wrote:
>> Ben Jencks <ben at bjencks.net> wrote:
>> I *strongly* recommend you do not mix user and host authentication
>> into one which looks like what you are slipping into doing.
>> Computers can have multiple users (think of a UNIX box SSHed into),
>> they might have an administrative entity which is identifiable by the
>> host credentials though.
> It's 100% laptops, so this isn't really an issue. Whoever logs the
> machine into the network is responsible for its actions.
At my work place the organisation (helldesk) provisions the staff with
laptops but they are not the users of the laptop. Blaming the user for
an infection/abuse@ attack is futile...can you say your userbase is
Clued(tm) enough to comprehend or care what they have done? :)
You want to track down the party responsible for the workstation (and
where the workstation actually lives), the *host* authentication, the
user authentication is something that happens when they access resources
such as file shares and email.
>> As for parsing FreeRADIUS 'log' files, I hope you mean you are just
>> putting the accounting information into SQL and that's the 'parsing'
>> out the way. You would be pretty...erm...well crazy to be doing it
>> any other way.
> That's the parsing, but there's still correlation to do, and possibly
> reformatting in ways simple views can't handle.
Not questioning you, only curious what you want to do with the data;
incase I can do more stuff with our data than we currently do :)
>> Doing what you want is kinda useless. I'm guessing you want to do
>> MAC->IP correleration for audit and LART deployment, you need to be
>> 100% sure the data you are looking at is not faked in any way as the
>> last thing you want to do is 'harm' the wrong person.
> DHCP snooping should take care of most of these, and as you mention
> 802.1x makes MAC spoofing pointless.
> If this is an uncommon use case, is there a better way I'm missing to
> accomplish the same thing? That is, I need to be able to take an abuse
> report with just an IP and a time in it, and notify/take action on a
> particular user. Since authentication happens before an IP is
> assigned, the best way I could think of to associate an IP is to ask
> the DHCP server.
As you already have the typical spoofing attacks covered then you can
trust your DHCP logs. Use your RADIUS 802.1X logs to act as a validator
to make sure your DHCP logs look sane.
Some people find the (*cough* ISC *cough*) DHCP server so inflexible
they bite the bullet and poll the ARP tables of their routers switches.
This usually comes about when you start writing code to parse the
dhcpd.leases files and then find your self wanting to scoop your eyes
out with a rusty blunt spoon...of course the disadvantage with polling
is it is not event driven and you might miss a DHCP Offer->Release
>> Whatever your solution is, bear in mind that at some stage you will
>> need to have your system handle:
>> * IPv6 addresses
> Probably will wait until there's vendor support for DHCPv6 snooping.
I only mentioned it as it looks like you might be forced to roll your
>> * multiple IP addresses on the same host simulateously
>> * IP addresses varying during the same session
> Doesn't really matter, as long as there's a timestamped record of each.
Again, only mentioned for hints on the DIY approach, some people I know
are already simply just relying on vendor extensions to RADIUS
accounting packets that tell the RADIUS server the IP address the client
is using. They then take this as gospel and ignore things like lease
renewal and whatnot.
.sigmonster says: What happens when you cut back the jungle? It recedes.
More information about the Freeradius-Users