MAC/IP/Identity correlation through AAA and DHCP
Alexander Clouter
alex at digriz.org.uk
Mon Sep 14 10:15:38 CEST 2009
Hi,
I think we are arguing for the same thing here :)
Alan DeKok <aland at deployingradius.com> wrote:
>
> Alexander Clouter wrote:
>> That's the thing, after thinking long and hard about the consequences,
>> treating a connecting machine differently (for example different VLAN)
>> depending on the person using the workstations is a serious fxhyyshpx if
>> you think in terms of "gets p0wned by previous user, then an
>> 'administrator' logs in".
>
> That isn't the use-case. The use case is "a machine with IP X is
> breaking the network... who do I blame?"
>
> If you can narrow it down to "the only person using that machine in
> the past day was user Y", you know who to yell at.
>
Yes but using *user* credentials for the 802.1X dance does not help you
here.
>> A workstation should be either on the network or not on the network (not
>> being some isolated 'guest'/'quarantine' network).
>
> How does it fix itself, then, if it's virus DB isn't up to date?
>
'guest'/'quarantine' subnet always has a list of places people can get
to. When I create such a pool I use a combination of:
* DNS hijacking
* web redirect
* HTTP/FTP proxies (the one case I do use a transparent proxy)
>> It has been this (and the multiple IP address bit) that has stopped
>> me ever using vendor NAS extensions that tell you what IP is being
>> used by the connecting host...sure that might be what it is using
>> now, what about two days later on.
>
> Integrate DHCP logs with RADIUS via SQL.
>
Complete agree, however if you look at the other sub-thread I was just
putting in a warning note for DIYers to consider multiple IP's, changing
IP's and IPv6 etc etc. As I mentioned there, I have seen people take
the RADIUS accounting 'workstation IP is...' as gospel in the past.
Cheers
--
Alexander Clouter
.sigmonster says: Your goose is cooked.
(Your current chick is burned up too!)
More information about the Freeradius-Users
mailing list