Security

 View Only
  • 1.  CLearpass Preventing Mac Spoofing!

    Posted Jul 08, 2024 07:24 AM

    Hello all

    I have an issue related to Mac spoofing I tried many things to prevent it but the same problem exists.

     we using CPPM ver 6.10.4, using Mac auth-service for APs (enabling authorized-profiling), configured a conflict trigger in policy too, and reduced endpoint DB time for the cache to 5 seconds, CPPM could profile good but when spoofing on AP's Mac and use it through my laptop I find the laptop authenticated with AP profile!!  and conflict trigger doesn't work as CPPM didn't catch it to deny. I just found an alert for conflict in endpoint DB.

    how can I make CPPM prevent Spoofing?



  • 2.  RE: CLearpass Preventing Mac Spoofing!

    Posted Jul 08, 2024 07:52 AM

    Hi

    Do you have the enforcement configured to deny access based on this condition:

    (Authorization:[Endpoints Repository]:Conflict  EQUALS  true)

    If this doesn't work try to change the Endpoint DB cache to 0.

    I have the solution working with the setting above. Also remember to have the conflict detection rule first in the Enforcement policy



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: CLearpass Preventing Mac Spoofing!

    Posted Jul 10, 2024 07:06 AM

    hi Jonas,

    I tried it with many changes too but not working.




  • 4.  RE: CLearpass Preventing Mac Spoofing!

    Posted Jul 10, 2024 07:43 AM

    Can you send screen shots of both your configuration in each tab of the MAC authentication service as well as a authentication request from Access Tracker?



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: CLearpass Preventing Mac Spoofing!

    Posted Jul 09, 2024 08:13 AM

    First of all, only use MAC authentication when some other authentication cannot be used.. Ideally you manage the clients and turn off MAC Address randomization.

    I believe you should be able to deny MAC Address randomization with a role mapping rule.

    We currently detect randomized MACs with this rule: (Connection:Client-Mac-Address-Colon  MATCHES_REGEX  ^.[26aeAE])



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 6.  RE: CLearpass Preventing Mac Spoofing!

    Posted Jul 10, 2024 07:20 AM

    hi bosborne,

    yeah, I only used it for devices that cannot use 802.1x




  • 7.  RE: CLearpass Preventing Mac Spoofing!

    Posted Jul 20, 2024 09:49 AM

    it has been a long time for me also, but it did work.

    as jonas is asking, can you share your config? else it will be difficult to say something.