In my network I am using eap-tls authentication (machine certificates) for clients. Those clients are using a squid proxy to access the internet. The proxy is logging the request to the access.log. Now what I want to do is to backtrack from an IP address in the access.log to the certificate name (CN) of the machine that request a page by first going from the IP address via arpwatch log to the MAC Address and then using RadAcct logging files for the certificate name (CN) by searching for MAC Address and date.
Is this advisable and secure, or this there a better option for tracking who surfed where?
Is this vulnerable to arp poisoning attacks or mac/ip spoofing, or other clever tricks?
If I additionally use a username/password combination for the authentication (e.g. eap-tls & peap), would it be possible to use the passwords for both logons (network & proxy)?
Edit: Ideally I would want the users to only have to input the credentials once.