[unisog] Tracking usage of dynamic IP

Alexander Clouter alex-unisog at digriz.org.uk
Tue Nov 13 10:29:07 GMT 2007 

Hi,

Surprised no one has mentioned it so I will =)

Russell Fulton <r.fulton at auckland.ac.nz> [20071112 11:46:30 +1300]:
>
> We have largely static IP address allocations with some meaningful (for
> varying values of meaningful) information in PTR records indicating who
> is using it or in some cases where the machine physically is.
> 
> With wireless networks and a small but increasing increasing mobile
> population (people with laptops who genuinely need to plug in in a
> number of different places) we are coming to grips with tracking these
> dynamic addresses.
> 
Time to use that magical buzzword 802.1x.  To be serious though it really 
does work and we are using it here.  We are doing the full Authentication 
(MAC fallback based and user based), Authorisation (which VLAN to dump them 
in) and the accounting data too.  In your situation you are only interested 
in the accounting side of things.  I have not tried out an accounting only 
approach but I cannot see why it would not work.

It seems pretty difficult to get equipment that is not 802.1x enabled and so 
I would recommend you use it.  To be honest no MAC<->IP mapping will work 
unless you have solid anti-spoofing[1] inplace you cannot rely on the data.

The following is our standard switch port config (on a 3750, however it 
should work on a 2950ish):

=================
103-1#show run <useful lines>
Building configuration...

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius 
aaa accounting dot1x default start-stop group radius
aaa session-id common
!
radius-server vsa send accounting
radius-server vsa send authentication
radius-server unique-ident 13 <-- otherwise reboots break session id's
!
ip dhcp snooping vlan 1-200
no ip dhcp snooping information option
ip dhcp snooping database flash:dhcp-snoop.db
ip dhcp snooping
errdisable recovery cause dhcp-rate-limit
ip arp inspection vlan 1-200
ip arp inspection validate src-mac dst-mac ip 
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
errdisable recovery cause arp-inspection
!
interface FastEthernet1/0/1
 switchport mode access
 switchport port-security
 switchport port-security aging time 1440
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 dot1x mac-auth-bypass
 dot1x pae authenticator
 dot1x port-control auto
 dot1x control-direction in
 dot1x timeout quiet-period 3
 dot1x timeout server-timeout 10
 dot1x timeout reauth-period server
 dot1x timeout tx-period 5
 dot1x timeout supp-timeout 5
 dot1x reauthentication
 no cdp enable
 ip verify source port-security
 ip dhcp snooping limit rate 10
end
=================

Important notes:
  * this is for AAA, not just accounting
  * for 'dot1x mac-auth-bypass' and 'switchport port-security' to work you 
	need at least 12.2(40)ish running otherwise they clash and no packets 
	ever pass (the 802.1x state machine prevents the port security 
	getting its MAC address recording and vice versa)
  * 'switchport port-security aging time 1440' is set as high as it will go 
	otherwise each time the MAC address expires the 802.1x state machine 
	is reset and yor RADIUS server gets a new fresh authentication.  
	Did I mention, every five minutes? :-/
  * I might have missed a few lines but read those presentations linked below

Now in your situation I *think* you could find that simply changing 'dot1x 
port-control auto' to 'dot1x port-control force-authorized' will get the 
switch to skip the authentication and authorisation step and jump straight to 
accounting.  Your RADIUS server will simply receive accounting packets when 
people plug and unplug.

This is for your wired infrastructure, you are already pretty much doing it 
for your wireless setup I would imagine.  Now you pump the RADIUS accounting 
data into an SQL database and now you have a listing of how long a MAC 
address is plugged in.

Now to the DHCP server, you can either munch the leases file regularly or if 
you are using ISC DHCPd then you could use OMAPI[3] to query it.  Once you 
have this data you can use it to populate your SQL server, I would recommend 
you do not 'poll' the leases file at regular intervals but you make your 
scripts event based (under linux use 'inotify' to be informed when the file 
is changed), if you need some help with this do ask as I have example code 
here at work that does this and a perl module that can munch that leases file 
for you.

Good luck and have fun

Alex

[1] http://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdf [2]
	http://www.enterprisenetworkingplanet.com/netsecur/article.php/3462211
	and http://articles.techrepublic.com.com/5100-1009_11-6154589.html
[2] not quite the presentation I was looking for, there was another that was  
	not your usual sales-monkey guff from Cisco but came over more as a 
	plea "all this has been built into the switches for ages...please 
	just turn it on as it's there and free"...however this presentation 
	is pretty good too
[3] http://nickg.home.cern.ch/nickg/dhcpd/omapiperl.html however lease times 
	have a mangle endian so in perl you have to firstly munch the 
	timestamp with unpack('N', pack('l', $leaseStarttime)) before you can 
	use it

-- 
 _______________________________________
/ Be both a speaker of words and a doer \
| of deeds.                             |
|                                       |
\ -- Homer                              /
 ---------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.sans.org/pipermail/unisog/attachments/20071113/91704f8c/attachment.bin

More information about the unisog mailing list