Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CLearpass Preventing Mac Spoofing!

This thread has been viewed 26 times
  • 1.  CLearpass Preventing Mac Spoofing!

    Posted 15 days ago

    Hello all

    I have an issue related to Mac spoofing I tried many things to prevent it but the same problem exists.

     we using CPPM ver 6.10.4, using Mac auth-service for APs (enabling authorized-profiling), configured a conflict trigger in policy too, and reduced endpoint DB time for the cache to 5 seconds, CPPM could profile good but when spoofing on AP's Mac and use it through my laptop I find the laptop authenticated with AP profile!!  and conflict trigger doesn't work as CPPM didn't catch it to deny. I just found an alert for conflict in endpoint DB.

    how can I make CPPM prevent Spoofing?



  • 2.  RE: CLearpass Preventing Mac Spoofing!

    Posted 15 days ago

    Hi

    Do you have the enforcement configured to deny access based on this condition:

    (Authorization:[Endpoints Repository]:Conflict  EQUALS  true)

    If this doesn't work try to change the Endpoint DB cache to 0.

    I have the solution working with the setting above. Also remember to have the conflict detection rule first in the Enforcement policy



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: CLearpass Preventing Mac Spoofing!

    Posted 13 days ago

    hi Jonas,

    I tried it with many changes too but not working.




  • 4.  RE: CLearpass Preventing Mac Spoofing!

    Posted 13 days ago

    Can you send screen shots of both your configuration in each tab of the MAC authentication service as well as a authentication request from Access Tracker?



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: CLearpass Preventing Mac Spoofing!

    MVP
    Posted 14 days ago

    First of all, only use MAC authentication when some other authentication cannot be used.. Ideally you manage the clients and turn off MAC Address randomization.

    I believe you should be able to deny MAC Address randomization with a role mapping rule.

    We currently detect randomized MACs with this rule: (Connection:Client-Mac-Address-Colon  MATCHES_REGEX  ^.[26aeAE])



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 6.  RE: CLearpass Preventing Mac Spoofing!

    Posted 13 days ago

    hi bosborne,

    yeah, I only used it for devices that cannot use 802.1x




  • 7.  RE: CLearpass Preventing Mac Spoofing!

    Posted 3 days ago

    it has been a long time for me also, but it did work.

    as jonas is asking, can you share your config? else it will be difficult to say something.