MAC/IP/Identity correlation through AAA and DHCP

Alexander Clouter alex at
Mon Sep 14 10:15:38 CEST 2009


I think we are arguing for the same thing here :)

Alan DeKok <aland at> wrote:
> Alexander Clouter wrote:
>> That's the thing, after thinking long and hard about the consequences, 
>> treating a connecting machine differently (for example different VLAN) 
>> depending on the person using the workstations is a serious fxhyyshpx if 
>> you think in terms of "gets p0wned by previous user, then an 
>> 'administrator' logs in".
>  That isn't the use-case.  The use case is "a machine with IP X is
> breaking the network... who do I blame?"
>  If you can narrow it down to "the only person using that machine in
> the past day was user Y", you know who to yell at.
Yes but using *user* credentials for the 802.1X dance does not help you 

>> A workstation should be either on the network or not on the network (not 
>> being some isolated 'guest'/'quarantine' network).
>  How does it fix itself, then, if it's virus DB isn't up to date?
'guest'/'quarantine' subnet always has a list of places people can get 
to.  When I create such a pool I use a combination of:
 * DNS hijacking
 * web redirect
 * HTTP/FTP proxies (the one case I do use a transparent proxy)
>>  It has been this (and the multiple IP address bit) that has stopped 
>> me ever using vendor NAS extensions that tell you what IP is being 
>> used by the connecting host...sure that might be what it is using 
>> now, what about two days later on.
>  Integrate DHCP logs with RADIUS via SQL.
Complete agree, however if you look at the other sub-thread I was just 
putting in a warning note for DIYers to consider multiple IP's, changing 
IP's and IPv6 etc etc.  As I mentioned there, I have seen people take 
the RADIUS accounting 'workstation IP is...' as gospel in the past.


Alexander Clouter
.sigmonster says: Your goose is cooked.
                  (Your current chick is burned up too!)

More information about the Freeradius-Users mailing list