MAC/IP/Identity correlation through AAA and DHCP
Alan DeKok
aland at deployingradius.com
Mon Sep 14 09:02:36 CEST 2009
Alexander Clouter wrote:
> That's the thing, after thinking long and hard about the consequences,
> treating a connecting machine differently (for example different VLAN)
> depending on the person using the workstations is a serious fxhyyshpx if
> you think in terms of "gets p0wned by previous user, then an
> 'administrator' logs in".
That isn't the use-case. The use case is "a machine with IP X is
breaking the network... who do I blame?"
If you can narrow it down to "the only person using that machine in
the past day was user Y", you know who to yell at.
> A workstation should be either on the network or not on the network (not
> being some isolated 'guest'/'quarantine' network).
How does it fix itself, then, if it's virus DB isn't up to date?
> During a single workstaion 802.1X connection (accounting start, to
> accounting end), there is no reason the IP address on the workstation
> cannot (should is another arguement, then it depends are we talking
> about IPv4 or IPv6) change whilst it is connected.
Sure... but you have the MAC + switch port, so you can still track
that IP to the machine / user.
> It has been this
> (and the multiple IP address bit) that has stopped me ever using vendor
> NAS extensions that tell you what IP is being used by the connecting
> host...sure that might be what it is using now, what about two days
> later on.
Integrate DHCP logs with RADIUS via SQL.
Alan DeKok.
More information about the Freeradius-Users
mailing list