Security

 View Only
last person joined: 21 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass deployment - how to prevent MAC spoofing

This thread has been viewed 30 times
  • 1.  Clearpass deployment - how to prevent MAC spoofing

    Posted May 03, 2022 05:52 AM

    Recently we deployed Clearpass cluster in the network with 6100/6200 switches.

    We deployed dot1x authentications for windows stations and mac-auth for all the rest (Cameras/Linux/Pinpads/Printers exc…)

    The problem is that only Mac-authentication is not passing a Penetration Test of the organization.

    Therefore, we need to think about another way or an extra parameter for securing those end stations.

    Can we get some fingerprints or another parameter from the end station when is first appearing in Clearpass? and bind between the MAC address and another parameter?

    In our current situation, if a camera is connecting. We approve it's MAC Address and saves it as known MAC address.

    If another device (Laptop for example) spoof this camera's MAC address, it will grant access to the network because of the known MAC address of the Camera.

    My goal is to get some extra parameter to identify this MAC so if another device spoof it, it would be blocked because it does not have that extra parameter.

    Thanks,



    ------------------------------
    Alon Haber
    ------------------------------


  • 2.  RE: Clearpass deployment - how to prevent MAC spoofing

    EMPLOYEE
    Posted May 03, 2022 07:13 AM
    Please take a look at the document here:  https://asp.arubanetworks.com/downloads/documents/RmlsZTpmMDY3Y2UwYS1lNmZiLTExZWEtYjFjMi0zYmZjN2Y0MzMxNDI%3D 
    You will want to do a search for "fingerprint" to give you an idea what is possible.
    Clearpass has a "conflict" state when device category changes so that you can decide what to do when a device seems to be spoofed.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: Clearpass deployment - how to prevent MAC spoofing

    Posted May 04, 2022 08:12 AM
    You can use Guest Device Registration as extra protection, and also do Custom Fingerprinting , both at one shot


  • 4.  RE: Clearpass deployment - how to prevent MAC spoofing

    EMPLOYEE
    Posted May 04, 2022 11:25 AM
    In my opinion you should lock down MAC authenticated clients as much as possible. Phones will only have access to the PBX, IP Cameras just to the recording systems, etc. If you evaluate the risk of someone spoofing the MAC address of an IP Phone and get to the PBX, you may accept that instead of jumping loops to configure 802.1X on the phones. Providing full network access to devices based on just MAC Auth should really be avoided.

    And yes, you can do all kinds of smart things, like if you manually register devices in the Endpoint database, register there the Device Name (profiling), and during rolemapping/enforcement check if the device is still classified as the device that you authorized. Or purely work with profiling, assign as restricted as possible roles, and use the Profiler tab to trigger a CoA as soon as you get a conflicting/updated fingerprint.

    It also may be good to understand the observations of the pentesters, and what would be good enough for them, and also check with the security policy what is needed to comply with that.


    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Clearpass deployment - how to prevent MAC spoofing

    Posted May 08, 2022 04:18 AM
    Thank you for the detailed answer.

    Alon.

    ------------------------------
    Alon Haber
    ------------------------------