Main Nav

We are doing NetReg and logging the DHCP leases. These get tossed to a syslog server. We also log NAT translations as well for the purpose of tracking down DMCA notices.
-- Heath Barnhart ITS Network Administrator Washburn University 785-670-2307

On Thu, 2014-02-06 at 12:22 -0500, Fishel Erps wrote:
Hello, We are looking for a way to track a user's MAC to IP, and we want it to get updated dynamically, and we want to know what others out there, are using. For example, I am a student with a new laptop, and I want to connect to the network. When I connect - either wired or wirelessly, I should have my browser pop-up and asks me to enter my credentials (LDAP, AD, etc.). It should them log my MAC as belonging to user XYZ. From that point forward, it should also store a history of every IP the user gets, each time they get one. The ultimate purpose is to provide a deterrent for students who might use bit-torrents. That way, when we get a notice from someone that XYX downloaded a copyrighted movie, we can now research which student had which IP at what time, and pursue the issue. _________________________ _________________________ Fishel Erps Sr. Network & Infrastructure Engineer, School of Visual Arts LL: 212-592-2000 E: ferps@sva.edu _____________________________ Please excuse any typographical errors as this e-mail has been sent from my mobile device ______________________________ ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

We just run Bradford. Connections are tracked by MAC / IP / switchport / userID / connect time / disconnect time and searchable on any field. (Had to roll our own piecemeal tracking/auditing before and don't want to do that again...) It doesn't track wireless locations however, we pull that from Airwave once we get the MAC. Jeff ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
For wireless we track the information using dot1x logs from our radius servers. For wired it's not so easy without dot1x but we do have logs from active directory, email and other authenticated systems. We also feed that information into our firewalls to help identify users there. All logs then feed into Splunk which is an extremely powerful and excellent correlation tool, it's been great for following up security incidents but we also use it for reporting and statistics. A fantastic product, but comes with a price tag. -- Jason Cook The University of Adelaide, AUSTRALIA 5005 Ph : +61 8 8313 4800 e-mail: jason.cook@adelaide.edu.au
Message from iam@st-andrews.ac.uk

As far as 802.1x wired, everything newer than XP SP3 supports it ok, macos 10.7 and newer are pretty trivial with the .mobileconfig files. You do need a portal in the guest vlan for onboarding unknown devices. We've been distributing wired profiles with our wireless for some time, which eases setup somewhat. 

Thanks

--
ian

Sent from my phone, please excuse brevity and misspelling.
Not sure how I left this out, but Netflow with nfdump also helps tracking down and corroborating violations with actual traffic that happened on your network. On 2/6/2014 1:54 PM, Vlade Ristevski wrote: > There are alot of ways to skin this cat. Keep in mind that it's pretty > easy to change your mac address but for most cases it won't be an issue. > > To log the username to mac-address you can use NetReg. To see a > history of every IP the user gets, log DHCP leases. > > To get the switch/port info you could use DHCP snooping. The switch > can be configured to store all the entries will be on a TFTP server. > You can back these up periodically or do some backend scripting for > historical purposes. A typical Cisco entry looks like this: > > [amdin@r tftpboot]# more > 52f3d849 > TYPE DHCP-SNOOPING > VERSION 1 > BEGIN > 192.168.84.53 584 aaaa.bbbb.cccc 52F41999 > Fa2/0/38 1e01fd26 > > > Also don't forget about mac-notify traps. A message will be sent to > your SNMP trapd server every time a mac address is seen on a > switchport. I've used this many times to track down mac addresses from > a long as a month ago. You can use snmptrapd(Linux) or Kiwi > Syslog(Windows) to log the messages. > > http://www.cisco.com/en/US/docs/switches/lan/catalyst2960x/software/15.0... > > > If you don't want to do netreg, you can do 802.1x. The 802.1x wired > clients are a pain in the ass but if you want you can so Mac-Based > authentication so no 802.1x client configuration is needed. I think > Packetfence has this built in. > > http://www.packetfence.org/ > > Nedi may help too. We used to use it many years ago. I haven't kept > up with it though. > > http://www.nedi.ch/ > > > > > On 2/6/2014 12:22 PM, Fishel Erps wrote: >> Hello, >> >> We are looking for a way to track a user's MAC to IP, and we >> want it to get updated dynamically, and we want to know what others >> out there, are using. >> >> For example, I am a student with a new laptop, and I want to >> connect to the network. When I connect - either wired or wirelessly, >> I should have my browser pop-up and asks me to enter my credentials >> (LDAP, AD, etc.). It should them log my MAC as belonging to user XYZ. >> >> From that point forward, it should also store a history of >> every IP the user gets, each time they get one. >> >> The ultimate purpose is to provide a deterrent for students who >> might use bit-torrents. That way, when we get a notice from someone >> that XYX downloaded a copyrighted movie, we can now research which >> student had which IP at what time, and pursue the issue. >> >> >> >> _________________________ >> _________________________ >> >> Fishel Erps >> Sr. Network & Infrastructure Engineer, >> School of Visual Arts >> LL: 212-592-2000 >> E: ferps@sva.edu >> _____________________________ >> >> Please excuse any typographical errors as this e-mail has been sent >> from my mobile device >> ______________________________ >> ********** >> Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. > -- Vlade Ristevski Network Manager IT Services Ramapo College (201)-684-6854 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
There are alot of ways to skin this cat. Keep in mind that it's pretty easy to change your mac address but for most cases it won't be an issue. To log the username to mac-address you can use NetReg. To see a history of every IP the user gets, log DHCP leases. To get the switch/port info you could use DHCP snooping. The switch can be configured to store all the entries will be on a TFTP server. You can back these up periodically or do some backend scripting for historical purposes. A typical Cisco entry looks like this: [amdin@r tftpboot]# more 52f3d849 TYPE DHCP-SNOOPING VERSION 1 BEGIN 192.168.84.53 584 aaaa.bbbb.cccc 52F41999 Fa2/0/38 1e01fd26 Also don't forget about mac-notify traps. A message will be sent to your SNMP trapd server every time a mac address is seen on a switchport. I've used this many times to track down mac addresses from a long as a month ago. You can use snmptrapd(Linux) or Kiwi Syslog(Windows) to log the messages. http://www.cisco.com/en/US/docs/switches/lan/catalyst2960x/software/15.0... If you don't want to do netreg, you can do 802.1x. The 802.1x wired clients are a pain in the ass but if you want you can so Mac-Based authentication so no 802.1x client configuration is needed. I think Packetfence has this built in. http://www.packetfence.org/ Nedi may help too. We used to use it many years ago. I haven't kept up with it though. http://www.nedi.ch/ On 2/6/2014 12:22 PM, Fishel Erps wrote: > Hello, > > We are looking for a way to track a user's MAC to IP, and we want it to get updated dynamically, and we want to know what others out there, are using. > > For example, I am a student with a new laptop, and I want to connect to the network. When I connect - either wired or wirelessly, I should have my browser pop-up and asks me to enter my credentials (LDAP, AD, etc.). It should them log my MAC as belonging to user XYZ. > > From that point forward, it should also store a history of every IP the user gets, each time they get one. > > The ultimate purpose is to provide a deterrent for students who might use bit-torrents. That way, when we get a notice from someone that XYX downloaded a copyrighted movie, we can now research which student had which IP at what time, and pursue the issue. > > > > _________________________ > _________________________ > > Fishel Erps > Sr. Network & Infrastructure Engineer, > School of Visual Arts > LL: 212-592-2000 > E: ferps@sva.edu > _____________________________ > > Please excuse any typographical errors as this e-mail has been sent from my mobile device > ______________________________ > ********** > Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Vlad ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
On Thu, Feb 06, 2014 at 11:48:20AM -0600, Tim Tyler wrote: > It will be curious to me to see how this works when we start > supporing ipv6 since many use routing advertisement to give out ip's > instead of dhcp. Tim Once we have RFC6939 support, we can log the MAC of a DHCPv6 client the same way we do with IPv4 today. The latest version 4.3.0 of ISC DHCP supports the "on commit" functionality with IPv6. Until then, we plan to do a semi-realtime query of the NDP tables on the routers when we detect a new MAC connect via MAC-RADIUS and/or DHCPv6. We already poll the NDP tables which should be "good enough" although not perfect to catch any IPv6 address changes later on. This will allow us to associate the IPv6 address with the MAC address. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
We are using AirWave for this. Tim Cappalli  |  ACCP /  ACMP /  CCNA Wireless Engineer  |  Brandeis University cappalli@brandeis.edu | (617) 701-7149
Hi, 
I'm also interested on the group's approach to this. 
We currently have a home grown process that sends the DHCP leases to a depository that a script sifts through to match the IP-to-MAC address against the timestamp of the infringement notice. A positive match will get the MAC address put in an IP range that can only go to a "you have been naughty" page. The DHCP does not track user credentials so we don't get that information. However, the user will eventually come to get their computer out of quarantine and credentials are logged then. This works nicely with public IPs but we hit a roadblock when trying to NAT and getting the translations to match (in part because of the limitations on the NAT device). We have a limited public IP space so input on this can be of great value to us.

Thanks,
Gonzalo

---

Gonzalo Cervantes

Associate Director Network Services


Barnard College, Columbia University

gcervantes@barnard.edu

212-854-8795

barnard.edu/bcit



Message from iam@st-andrews.ac.uk

We have such a system for student devices that can't dot1x. Seriously, mac addresses can so easily be reprogrammed  that actual credentials / certificates are the way forward here..

Thanks

--
ian

Sent from my phone, please excuse brevity and misspelling.
From: Tim Tyler
Sent: ‎06/‎02/‎2014 17:48
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Network IP Tracking

Ian,
 Most network registration programs should be able to do this.  We use
open source Netreg to do this and I believe all variations of Netreg today
probably do this.  I would think any network registration product should
keep track of ip to mac associations.   There are commercial versions of
Netreg available if you don't want to go the open source route.  DHCP maps
ip to macs and registration usually maps names to them.  It will be
curious to me to see how this works when we start supporing ipv6 since
many use routing advertisement to give out ip's instead of dhcp.
 Tim

Ian, Most network registration programs should be able to do this. We use open source Netreg to do this and I believe all variations of Netreg today probably do this. I would think any network registration product should keep track of ip to mac associations. There are commercial versions of Netreg available if you don't want to go the open source route. DHCP maps ip to macs and registration usually maps names to them. It will be curious to me to see how this works when we start supporing ipv6 since many use routing advertisement to give out ip's instead of dhcp. Tim
On Thu, Feb 06, 2014 at 12:22:47PM -0500, Fishel Erps wrote: > Hello, > > We are looking for a way to track a user's MAC to IP, and we want it to get updated dynamically, and we want to know what others out there, are using. We are doing a combination of MAC-RADIUS, DHCP Snooping, and DHCP logging to maintain bindings between MAC-to-IP, and then requiring MAC address registration to bind the MAC to a user. We will be adding RADIUS Accounting to this soon. > For example, I am a student with a new laptop, and I want to connect to the network. When I connect - either wired or wirelessly, I should have my browser pop-up and asks me to enter my credentials (LDAP, AD, etc.). It should them log my MAC as belonging to user XYZ. We use CMU NetReg which has a captive portal called QuickReg for this part. For wired, the RADIUS server hands back a QuickReg VLAN to put the client into if the MAC address is unknown (or suspended, not allowed on the subnet, etc.) For wireless, the user connects to the WPI-Wireless-Setup SSID manually which brings up the portal (CloudPath XpressConnect + CMU NetReg). > From that point forward, it should also store a history of every IP the user gets, each time they get one. CMU NetMon is a counterpart to CMU NetReg which keeps track of this for us by capturing the DHCP logs. It also polls CAM tables, ARP/NDP tables, Port status, VLANs, etc. > The ultimate purpose is to provide a deterrent for students who might use bit-torrents. That way, when we get a notice from someone that XYX downloaded a copyrighted movie, we can now research which student had which IP at what time, and pursue the issue. If you use ISC DHCP, here is a configuration snippet that will log the lease information to syslog entries starting with "DHCPNETMON": on commit { if (static) { log (info, concat ( "DHCPNETMON ", binary-to-ascii (10,32,"",encode-int (lease-time,32))," ", substring (binary-to-ascii (16,8,":",hardware), 2,17)," ", binary-to-ascii (10,8,".",leased-address)," ", pick-first-value(host-decl-name, "(none)"), " static ", pick-first-value(option agent.circuit-id, "(none)"))); } else { log (info, concat ( "DHCPNETMON ", binary-to-ascii (10,32,"",encode-int (lease-time,32))," ", substring (binary-to-ascii (16,8,":",hardware), 2,17)," ", binary-to-ascii (10,8,".",leased-address), " ", pick-first-value(ddns-fwd-name, "(none)"), " dynamic ", pick-first-value(option agent.circuit-id, "(none)"))); } } ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Message from iam@st-andrews.ac.uk

Hi, dot1x is the way to go with this. MAC addresses are by no means unique.

Thanks

--
ian

Sent from my phone, please excuse brevity and misspelling.
Message from ferps@sva.edu

Hello, We are looking for a way to track a user's MAC to IP, and we want it to get updated dynamically, and we want to know what others out there, are using. For example, I am a student with a new laptop, and I want to connect to the network. When I connect - either wired or wirelessly, I should have my browser pop-up and asks me to enter my credentials (LDAP, AD, etc.). It should them log my MAC as belonging to user XYZ. From that point forward, it should also store a history of every IP the user gets, each time they get one. The ultimate purpose is to provide a deterrent for students who might use bit-torrents. That way, when we get a notice from someone that XYX downloaded a copyrighted movie, we can now research which student had which IP at what time, and pursue the issue. _________________________ _________________________ Fishel Erps Sr. Network & Infrastructure Engineer, School of Visual Arts LL: 212-592-2000 E: ferps@sva.edu _____________________________ Please excuse any typographical errors as this e-mail has been sent from my mobile device ______________________________ ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.