11-25-2016 08:37 AM
We are looking at rolling out AAA authentication on our network. We use Aruba MAS switches and Aruba APs with Avaya IP phones. I was looking at setting up override conditions on the AAA Profile for the phones and APs to get diverted to a corporate access vlan and skip CPPM role assignment. for the APs I was planning to use a device-group ap profile to override the interface-group AAA profile. Similar to this:
For the phones I was looking at setting a derivation rule on the AAA profile similar to this:
aaa derivation-rules user test
set vlan condition device-type equals "phone" set-value XXX
My question is how secure is this setup? Can the proprietary LLDP TLVs be spoofed easily so that a hacker PC could mimic a phone or AP and get diverted straight into a corporate access vlan bypassing the rest of the AAA profile role assignment conditions?
11-26-2016 03:03 AM
LLDP can be easily spoofed (as can CDP). Tools to do so, like VoipHopper (CDP) and LLDP Generator (LLDP) are publicly available.
Example with LLDP Generator:
./tool.py -p lldp -tlv sys-name "FakePhone" -tlv sys-desc "See, I can spoof LLDP" -tlv chid -ipv4 "188.8.131.52"
Will show on your switch like:
HPE-Aruba-Lab3810# show lldp info remote-device 4 LLDP Remote Device Information Detail Local Port : 4 ChassisType : network-address ChassisId : 184.108.40.206 PortType : mac-address PortId : 30 85 a9 aa aa aa SysName : FakePhone System Descr : See, I can spoof LLDP PortDescr : Pvid : System Capabilities Supported : System Capabilities Enabled : Remote Management Address
I did not take the time so spoof the system capabilities, but that should not be that hard to fake your Avaya Phone. So it is okay to use LLDP as a convenience feature, probably not to use it as a securlty feature as there is no protection whatsoever in the protocol.
The more secure solution would be to really authenticate the phone with 802.1X; the required securlty level depends on what is acceptable in your environment and was the outcome of the security assessment.
If you have urgent issues, please contact your Aruba partner or Aruba TAC.