If you have a need to actually determine this kind of info, 802.1x might be for you. It authenticates the user before giving them access to a specific VLAN or ACL, and logs it. That way you have definitive correlation of user auth to IP address assignment.

Starting over.

We force all pages except a select few to nav to NetReg and force them to go through registration using their account and password for (everything else).

For guests they certainly can just plug into jacks in non-NetReg buildings (once NetReg is everywhere that won’t be the case) or they can use our wireless network which requires VPN. We give out guest VPN accounts but a worker bee has to claim responsibility for the network usage of their guest.

NOT a perfect situation.

And how do you require guests to use VPN? What do they VPN into? I would think you’d want guests to just get Internet access, either through a dirty, unsecure network, or a NAT’ed network so at least they get some protection but have no access to inside.

ISP, eh? Small world

I could have said that in one comment; didn’t.

We have separate subnets, not all are converted over yet because of old wiring in many of our buildings.

So NetReg seems to be a good answer for smaller networks, and seems to also give a decent semblance of security, but I would probably argue for 802.1x authentication, which is one of our next projects. When you have a switch that supports 802.1x, then what happens is you get put into a VLAN based on your authentication, and it can be without the user’s participation.

Everyone know about two-factor authentication? Here’s the gist: you have three ways to prove you are who you say you are: something you have (like a token), something you know (like a username and password) and something you are (biometric – fingerprint, retinal scan). Two-factor authentication is when you have 2 of the 3 things. A smart card with a login is 2 factor. A SecurID card with a 60-second password, combined with a login is 2 factor.

Now, for sake of argument, imagine a Windows domain and Windows machines in that domain. When you join the system to the domain, you can have a group policy automatically add a certificate, signed by the domain controller, to the machine. That’s one form of authentication (something you have; a token). Then, assume the user is logged into the machine with their username and password. That would be the second form of authentication (something you know). Given these two forms, the computer authenticates to the switch, the switch puts them in the appropriate VLAN, and then DHCP server on that segment doles out a specific IP.

The cool thing here is that if the computer does NOT authenticate, it can be put into an unsecure VLAN, given a different address and maybe given NAT’ed internet access but no internal access.

That way, you can open up all the ports in your campus and not worry as much about physical security – you know, how people visitors might come into your conference rooms and “borrow” a network connection, and all of a sudden get access to internal stuff? Properly implemented 802.1x massively minimizes that threat.

We use NetReg because we’re lazy. Register your IPs, stupidasses. (Not you, them.)