1

In my network I am using eap-tls authentication (machine certificates) for clients. Those clients are using a squid proxy to access the internet. The proxy is logging the request to the access.log. Now what I want to do is to backtrack from an IP address in the access.log to the certificate name (CN) of the machine that request a page by first going from the IP address via arpwatch log to the MAC Address and then using RadAcct logging files for the certificate name (CN) by searching for MAC Address and date.

Is this advisable and secure, or this there a better option for tracking who surfed where?

Is this vulnerable to arp poisoning attacks or mac/ip spoofing, or other clever tricks?

If I additionally use a username/password combination for the authentication (e.g. eap-tls & peap), would it be possible to use the passwords for both logons (network & proxy)?

Edit: Ideally I would want the users to only have to input the credentials once.

HalloDu
  • 121
  • 1
  • 9

1 Answers1

2

Well if you want your reporting to list the access by machine identity then I don't see anything wrong with that idea - provided you have the logs on both sides (and the timestamps are good and all that) then why not. When you say you're using EAP-TLS, I assume you means 802.1x with EAP-TLS for wired\wireless client access.

As to whether the whole concept is vulnerable to ARP poisoning or not - well that's what ARPwatch is for surely so if that's not sufficient then there are other solutions. MAC spoofing should trigger 802.1x to reauthenticate the interface - whether that prevents all MAC spoofing attacks or not I can't say but it will force the system to re-authenticate so you'll have EAP-TLS logs that show the same machine identity authenticating with different MAC addresses and your lookup of the identity of the machine will still be accurate. At this point my guess is that your certificate distribution\enrollment mechanism would be a bigger risk.

You can use the same passwords for the proxy and network access provided you can point them both at the same directory service. There are definitely lots of ways to do that depending on your platform(s) - I set up a lab environment acouple of years ago where network access was controlled by 802.1x with EAP-TLS + PEAP where we used AD credentials, and had an external proxy that also required AD authentication but whether there is any particular benefit in adding the extra authentication layers is something I was never convinced about, personally I would have been happier with a more secure certificate store and reliance on certificates alone. I'm pretty sure there are even more options for this sort of layered authentication today.

Helvick
  • 19,579
  • 4
  • 37
  • 55
  • Thank you that's what I hoped for. I plan to use an openldap directory service for authentication in my samba domain, for the proxy and peap, but what I wanted to know is, if a user needs to input his password both for wlan and for the proxy or if you can unify that somehow. – HalloDu Nov 17 '10 at 22:07