[unisog] Tracking usage of dynamic IP
Alexander Clouter
alex-unisog at digriz.org.uk
Wed Nov 14 10:34:35 GMT 2007
Hi,
Peter John Hill <pjhill at u.washington.edu> [20071113 09:35:50 -0800]:
>
> This is great stuff here. I have not been to an Internet2 Joint Techs
> in a while and am not sure if there have been any recent presentations
> on 802.1x deployment. The next one is in Honolulu
> http://www.hawaii.edu/tip2008
>
> It looks like there was an 802.1x presentation in 2005.
> http://events.internet2.edu/2005/JointTechs/SaltLake/sessionDetails.cfm?session=1853&event=228
>
Well living on the other side of the pond pretty much wipes out me
sunnying^Wtalking with other like minded tech folk however I have submitted
my abstract for the UK equilivent coming up in April:
http://www.ja.net/services/events/networkshop/networkshop-index.html
> I love the fact that you prefer EAP-TTLS. It seems that method has
> both decent security and supplicant support. Are you using client
> certificates for authentication?
>
Currently no, however FreeRADIUS has all been primed ready for the day we get
that far. As we are moving from a legacy VMPS dynamic VLAN system the only
methods available are:
* EAP-TTLS with PAP inside for username/password authentication
* for wired connectivity, if the MAC address is 'known' then it can
fallback to MAC based VLAN assignment
Access layer wise it's nice as that port config snippet I gave you is unified
for all our workstations (the server room switches are not 802.1x'd).
I have played with EAP-MD5 and in the Perl module (Net::LanWarden) I have
written it has the hooks so that EAP-TLS can be used for *host*
authentication. For use EAP-TLS will really be used in the student public
labs and workstation rollout for our staff. Laptops (even ones owned by
SOAS[1]) are considered 'untrusted' and the user will be forced to use
EAP-TTLS to authentication the host.
> Can users preregister machines that don't natively support 802.1x all
> by themselves? Congratulations on getting it all to work. I'd be very
> curious on which part of the system needs the most improvement?
>
The perl framework is pretty much done and in place and I have been busily
putting together a registeration system that both the students and the
helpdesk staff can use when provisioning machines. MAC authentication has to
be specially by the network team (I have scripts that read a list of MAC
addresses from a CSV file and assigns them to the apprioate VLAN)
> Client OS Support
> Switch vendor support
> Backend Server support
> radius
> cert servers? (if used)
> Other
>
Hardware is, as usual, sucky. Cisco's solution (for our damn expensive WLC
4404) is that I should be using a heavily javascript'ed web frontend to
disassociate people from acess points and are completely dis-interested in
fixing their SNMP code[2]. Switch wise, it's only recently (on our 3750's)
that Cisco have an IOS that's suitable for a production 802.1x environment.
FreeRADIUS...there is some black magic logic in there where in the 'users'
file A&B&C&D != A&C&B&D, trial and error was involved to get the logic
working properly :-/
However really all the problems seemed to have been working fine, we can even
PXE boot too as the timers are suitable low enough.
> Do you have a good tool for looking through your radius logs to match
> machines to users?
>
Everything lurks in a PostgreSQL database (it was MySQL but I ended up
getting annoyed) but you should be able to dump all the data in whatever SQL
database you want (the SQL code is pretty neutral).
To find out where a *currently* logged in machine with a MAC address (and who
they are) is means you just query:
==========
SELECT user_name, tunnel_private_group_id, nas_ip_address, nas_port_type, nas_port_id
FROM postauth
WHERE (
packet_type = 'Access-Accept'
AND calling_station_id = '<mac-address>'
AND (
(
calling_station_id, called_station_id, nas_ip_address,
nas_port, nas_port_id, nas_port_type, client_ip_address
) = (
SELECT calling_station_id, called_station_id, nas_ip_address,
nas_port, nas_port_id, nas_port_type,
client_ip_address
FROM acct
WHERE acct_status_type = 'Start'
AND calling_station_id = '<mac-address>'
ORDER BY start_timestamp DESC
LIMIT 1 )
)
)
ORDER BY timestamp DESC
LIMIT 1
=======
For a point in history it really is a case of just lining up the 'post_auth'
table along side the 'acct' table.
The perl code I have written simply turns this to (roughly):
=======
use Net::LanWarden;
use Net::LanWarden::Host;
use Data::Dumper
use constant CONFIG => '/home/ac56/lanwarden/lanwarden.cfg';
my $lw = Net::LanWarden->new(config => '/path/to/config/file/with/passwords);
my $host = Net::LanWarden::Host->new(mac => <mac-address>);
$lw->fetchHost($host);
my $details = $lw->getDot1x($host);
print Dumper $details;
exit 0;
----------------------
The output is a dereference hash containing the results from the above SQL
query.
=======
One big use for this is tracking down AWOL leased workstations at rollout
time. We can now give our asset guy SQL access to the PostgreSQL database
and he can use his favourite Excel spreadsheet to hook in and find out live
data (and historical straight from the 'acct' table) to track down machines
with.
The details logged are everything that generally appears in the EAP related
RADIUS packets:
* switch (or AP)
* physical port
* connect time
* disconnect time
* data uploaded and downloaded
As I mentioned, the framework is now ticking along, I'm just adding the code
to make writing a web frontend more straight forward to any queries people
could have.
Cheers
Alex
[1] my employer, http://www.soas.ac.uk/
[2] the SNMP bits are there, they are meant to work but instead it just
'blockholes' the workstations traffic. The user has to manually
disconnect and reconnect after noticing that for some reason their
link is no longer running :-/ I opened a TAC report and<rant>...
> Again, congrats!
> Peter
>
>
> On Nov 13, 2007, at 7:55 AM, Alexander Clouter wrote:
>
> > Hi,
> >
> > Peter John Hill <pjhill at u.washington.edu> [20071113 07:09:03 -0800]:
> >>
> >> On Nov 13, 2007, at 2:29 AM, Alexander Clouter wrote:
> >>>
> >>> Time to use that magical buzzword 802.1x. To be serious though it
> >>> really
> >>> does work and we are using it here. We are doing the full
> >>> Authentication
> >>> (MAC fallback based and user based), Authorisation (which VLAN to
> >>> dump
> >>> them in) and the accounting data too. In your situation you are
> >>> only
> >>> interested in the accounting side of things. I have not tried out
> >>> an
> >>> accounting only approach but I cannot see why it would not work.
> >>>
> >>> It seems pretty difficult to get equipment that is not 802.1x
> >>> enabled and
> >>> so I would recommend you use it. To be honest no MAC<->IP mapping
> >>> will
> >>> work unless you have solid anti-spoofing[1] inplace you cannot
> >>> rely on
> >>> the data. er gets a new fresh authentication.
> >>
> >> I like the idea, because it provides a more reliable userid to port
> >> and mac association and uses radius for accounting data, which is
> >> pretty mature.
> >>
> >> The one thing I wonder about is that since we are talking about a
> >> university setting, how do you deal with things like xboxes, apple
> >> tvs, tivos. I think your config specified that each mac addr had to
> >> authenticate in order for them pass non-EAPOL frames. Would this
> >> encourage users to install home routers instead of home switches in
> >> their dorms and offices so that they could have one machine that does
> >> the 802.1x and gets the network up for the rest?
> >>
> > Well the settings I initially gleaned from:
> >
> > http://www.oneunified.net/blog/2007/04/30/
> >
> > I was unaware of the fallback MAC authentication approach until I
> > read it,
> > it had been recently added to IOS from my understanding.
> >
> > The client workstations after the link is brought up have about ten
> > seconds
> > to respond otherwise the switch goes about waiting for the MAC
> > address to
> > appear (usually in a DHCP packet). This is then used to form a RADIUS
> > authentication packet, the MAC address is used for the username and
> > password.
> > Our RADIUS server (FreeRADIUS) is primed to notice this as a
> > 'legacy' system
> > and deal with it appropriately. If the MAC address is registered in
> > our LDAP
> > tree then it is dumped in a VLAN[1].
> >
> > If the MAC address is not recognised the RADIUS server decides the
> > client does
> > not have an 802.1x supplicant and dumps them in a 'get-a-supplicant'
> > VLAN.
> >
> > In the case when someone has a supplicant installed (even after lets
> > say the
> > MAC based authentication has taken place) an EAP-Start packet is
> > fired off
> > which resets the whole 802.1x state machine on the switch and then
> > user (we
> > use EAP-TTLS via SecureW2 however PEAP or even TLS could be used)
> > authentication helps decide which VLAN they are placed in[2].
> >
> > Before the *authorisation* kicks in the MAC address is checked if it
> > is
> > registered and if not dumps them in a registration VLAN. If the
> > machine is
> > registered then they get dumped straight into the 'users-
> > unmanaged' (our
> > users but on laptops/workstations that our university is not
> > responsible for)
> > VLAN. The exception to this are eduroam[3] users; if the realm is
> > not one
> > that we handle and the authentication succeeds then the work station
> > is
> > dumped straight into the 'eduroam' VLAN as we are not permitted to
> > collect
> > details regarding eduroam roaming users[4].
> >
> >> How about projectors? Most printers probably support 802.1x. Are
> >> these
> >> things dealt with as exceptions where somehow the switch config for
> >> that device needs to allow that device to not use 802.1x?
> >>
> > *Pre-registered* as being permitted to use MAC authentication.
> >
> >> It's an interesting deployment scenario, that's why I am asking.
> >> These
> >> are questions that I have wondered about whenever thinking about
> >> 802.1x.
> >>
> > I can see why you are curious. There was *nothing* out there for me
> > to work
> > on. All the conslutants had no advice other than "make sure you
> > have a good
> > testbed" :-/ It was complete trial and error on my part. I
> > probably have
> > missed other details[5] so do ask and it is probably tucked away in
> > my brain
> > somewhere :)
> >
> > So in conclusion, this is completely new territory. All those
> > commercial NAC
> > solutions actually do *not* support 802.1x and simply over throw the
> > switch
> > configuration forcing them kludgly into a 'quarantine' VLAN. We
> > wanted
> > something far more graceful where we change an LDAP object (to
> > 'quarantine'
> > for example) and then re-initialise the 802.1x state machine for the
> > port on
> > the switch or AP.
> >
> > Fortunately my employer (a university) was happy for me to write one
> > from
> > scratch in Perl</smugness> :)
> >
> > Cheers
> >
> > Alex
> >
> > [1] this is pretty much identical to a VMPS approach but without the
> > need for
> > OpenVMPS and gives you the perfect 802.1x migration strategy for some
> > time in the future
> > [2] well this home brewed (GPL and still in development) NAC
> > solution of ours
> > actually lets workstations exist in a number of VLAN's and users can
> > only exist in a single VLAN. Where ever there is this overlap that
> > is the VLAN the machine is placed into
> > [3] http://www.eduroam.org/
> > [4] if an abuse issue arises we blacklist the MAC address
> > [5] such as that a Cisco 440x sucks as you cannot disassociate
> > someone via
> > SNMP and that Mac OS X machines (and Linux) will not renew their DHCP
> > lease if you force a re-authentication of the port they are connected
> > to (so you have to shutdown the port for ten seconds and then
> > re-enable it)
> >
> > --
> > ____________________________________
> > / A journey of a thousand miles must \
> > | begin with a single step. |
> > | |
> > \ -- Lao Tsu /
> > ------------------------------------
> > \ ^__^
> > \ (oo)\_______
> > (__)\ )\/\
> > ||----w |
> > || ||
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.dshield.org
> > https://lists.sans.org/mailman/listinfo/unisog
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
--
_________________________________________
/ Cleanliness becomes more important when \
| godliness is unlikely. |
| |
\ -- P. J. O'Rourke /
-----------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.sans.org/pipermail/unisog/attachments/20071114/a5f44570/attachment.bin
More information about the unisog
mailing list