10-23-2013 12:10 PM
a while ago i checked about MAC spoofing protection, recently i had some time to test it out but it doesnt function as hoped.
im testing with fixed device which is profiled (IP helper set to clearpass) correctly, then i take my laptop with the linux backtrack distribution spoof the MAC and try to authenticate, both use DHCP.
two things are unclear / broken for me.
1) how do i act on device conflict? i can't turn on the profiling tab, set it to CoA disconnect when status is conflict. but nowhere i can find when this conflict condition occurs. i had expected to see something in the endpoint database but there i find nothing. it also doesn't seem to work, but the reason is unclear, doesn't a conflict occur or is it something else?
2) when i start with the linux laptop and afterwards plugin the other device the entry in the endpoint database is updated correctly (all fields i mean, hostname, category and such, no mention of conflict, the entry is just "overwritten"). but when i start with the other device and then the linux laptop only the hostname changes, the rest like the OS and type remain the original one. to me this is not expect behavior right? anyone ran into a bug here?
10-23-2013 06:43 PM
I will have to test this in my lab when I get back and get back to you.
Your enforcement policy should have a condition stating something like what I have below, but in my example Im putting the device in a dead end vlan instead of a reject. If I send a reject the user or device could just keep trying to connect and get rejected. This way I can control the user after they try to trick the system.
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
10-24-2013 11:53 AM
thanks tarnold, your rule makes sense but again is based on the conflict category which i can't seem to get in the end point database. not even when changing from a linux laptop to the device we use, pretty much everything but the MAC changes, still there is no hint of a conflict.
11-06-2013 11:27 AM
also opened a ticket with support, they told me to enable the audit tab. done this and see the nmap scan happening, but no further effect. i also fail to see anywhere what the result is.
i found the ancient document on the support site, but i fails to connect all the dots:
11-14-2013 10:26 AM
not yet, support is working on it. if it gets worked out ill certainly report back here.
as i said, audit needs to be turned on and the devices need to be audited correctly, the policy simulation is the way to test this.
in the mean time im certainly interested in people who have made this work at some time.
02-26-2014 12:11 PM
so, three months later and still not working.
went from audit to profiling and back to audit, but not succes. it seems we are close because the scan and / or profiling does detect different devices, clearpass just doesnt act on it.
seeing how this doesnt pick up any replies makes me believe no one is using it anyway :)
12-08-2015 10:48 AM
Boneyard - I know this is an old thread, but ever come up with a fix for this?
Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
12-13-2015 02:03 AM - edited 12-13-2015 02:04 AM
it has been some time ago but i believe the was a bug which was fixed in later versions. so the original suggestion from tarnold with the conflict category should work now. im not sure if i ever gotten around to test it later on. i have a PoC coming up soon and will see if i can slip this in :)
01-09-2016 02:33 AM
for me the conflict status doesn't work, but i might be using it wrong, i posted my reply in the thread below and will continue updates there: