Re: Tracking Dynamic IP assignments

Gary N. McKinney (gmckinney@megabits.net)
Sun, 22 Dec 1996 08:59:54 -0500

Pete Kruckenberg wrote:
>
> My understanding is that there are essentially three ways to assign IP
> addresses to a Portmaster session (using RADIUS):
>
> - static based on user id
> - static based on port (an entry for each port in the users file)
> - dynamic based on configured Portmaster "pool"
>
> It appears that there is no way to track which dynamic address was
> assigned to which user/port. There doesn't appear to be anything in the
> RADIUS accounting record (at least, according to the IETF RADIUS
> Accounting Draft 5) that would record which dynamic IP address was
> assigned to the user/port.
>
*****

Actually ... If you get a copy of Radius 2.0 the accounting records
contain
the Dynamic IP address which was assigned to a user at the time of the
connection....

> So, it seems like the only way to track (at least, through RADIUS) which
> IP address was assigned to a user/port for a session would be to set up
> (in the "users" file) a DEFAULT user for each port with a specific IP
> address to be assigned to that port each time a session is activated on
> it. That seems to be a lot of work.
>
> I can see a problem also if the Auth-Type is Local (ie DEFAULT entries
> won't work), which would require user-specific static addresses (or is
> there a way to tell RADIUS to use a password file other than /etc/passwd
> for System authentication?). It seems that it would be appropriate to have
> the PM return the "Framed-IP-Address" (and maybe "Framed-Protocol" as
> well) in the accounting Start record when the IP address is assigned
> dynamically (or anytime it's a Framed session). Similar information is
> returned for Login sessions.
>

Too Late ... It's in there....

> Is the IP assignment information available via some PM "show" command? If
> so, I guess I could have some other process running that periodically ran
> that command on each active port, then parsed the output and stored it in
> a log file.
>
> My application is two-fold: (1) be able to determine who was the culprit
> if some kind of unethical/illegal activity happens on a dial-up session
> and (2) authenticate to other services (ie Web-based accounting interface)
> using a combination of the in-coming IP address and knowing who the PM
> assigned that address to.
>
> Ideas? Help?
>
> Pete Kruckenberg
> pete@inquo.net

Hope the above info helps ... BTW: you can download the latest copy of
Radius from the Livingston FTP server...

Later ... gm...

FWIW: We use the information in the accounting files to keep track of
exactly what you described above ... all you have to do is
modify the scripts for accounting ( on the livingston server )
to give you a report of the user's call time and IP address
assignment ... Makes a great deterent to the would-be "cracker".

later...