Security

Reply
Occasional Contributor II

2nd factor to MAC authentication with ClearPass

Hello,

 

I have a customer who asked me, if it is possible to add a 2nd factor to MAC authentication, as MAC addresses are quite easy to spoof. I tried an NMAP Scan, but there was no distinct result for some devices. As far as I know, snmp cannot be triggered from a service an runs only on a network scan.

 

I have red that a competing product (arp-guard) can check for https certificates. The cert is trusted on first use and then arp-guard checks against this certificate.

 

Is there a similar way in ClearPass?

 

Regards,

 

Marian

Guru Elite

Re: 2nd factor to MAC authentication with ClearPass

Why aren’t you using 802.1X? MAC “authorization” is not authentication.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: 2nd factor to MAC authentication with ClearPass

Sorry I did not make thes clear. dot1x is used for all devices able to use it, but there are phones, printers and old APs without a supplicant.

Guru Elite

Re: 2nd factor to MAC authentication with ClearPass

MFA is a user construct. So you just simply want additional profiling?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: 2nd factor to MAC authentication with ClearPass

I want to know, if there is something that can be taken into account in addition to the MAC auth that is not easy to forge.

 

One idea would be a http server certificate, which is available on many devices without dot1x supplicant.

 

I guess in terms of ClearPass that would be additional profiling.

Guru Elite

Re: 2nd factor to MAC authentication with ClearPass

Unfortunately, no, as you would need a database to compare against.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: 2nd factor to MAC authentication with ClearPass

That is bad, but thank you for the clarification.

Guru Elite

Re: 2nd factor to MAC authentication with ClearPass

Why is that bad? An arbitrary server certificate with no binding is just as ephemeral as a MAC address.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: 2nd factor to MAC authentication with ClearPass

The certificate must not be arbitrary, that is true. But with a trust on first use concept, or a learning port, ClearPass would have a certificate specific to this device and can then check against this certificate.

 

If one can easily retrieve this certificate from the device, this approach would be useless. But if not one would have something to verify and this can not be forged easily.

Guru Elite

Re: 2nd factor to MAC authentication with ClearPass

I would recommend working with your ClearPass partner to look at all of the profiling options available for headless devices.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: