yes you can use ClearPass to do that. there is a Endpoint attribute called "conflict" that you need to check in your enforcement policy.
The assumption is that you have configured and enabled ClearPass profiling.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------
Original Message:
Sent: May 24, 2022 04:21 AM
From: Frederik Gagel
Subject: MAC Spoofing Guest Network
hey hdemir,
unfortunately none of the settings help to prevent a user from spoofing its MAC address...
Right now I'm testing some workaround. I try to block the spoofed MAC address in the MAC Auth service in CPPM while connecting to the wifi infrastructure... Let's see...
------------------------------
Frederik
Original Message:
Sent: May 24, 2022 02:47 AM
From: husnu demir
Subject: MAC Spoofing Guest Network
To prevent MAC spoofing, DAI, Dynamic ARP Inspection is the correct way. I thoutht that "enforce dhcp" will do that.
Perhaps you should move routing to more advance place.. Also,
Controller may have options on firewall
with "Prevent DHCP exhaustion", "Prohibit IP spoofing" and "Prohibit ARP spoofing". They may help..
"https://www.arubanetworks.com/techdocs/ArubaOS_62_Web_Help/Content/ArubaFrameStyles/Firewall_Roles/Global_Firewall_Paramete.htm"
Best regards.
------------------------------
husnu demir
Original Message:
Sent: May 24, 2022 02:27 AM
From: Frederik Gagel
Subject: MAC Spoofing Guest Network
hi,
thanks for your answers.
The problem I ran into wasn't the access / reachability of the vlan Interface address of the controller. I know that there are ways to limit or block access to it. My problem is that a guest user can perform a subnet scan (even in pre-auth role) -> is there a way to block that? When Deny Inter User bridging is enabled a subnet scan in pre-auth-role results in getting back the client, controller and gateway mac (no other wireless user is found) -> so far so good :)
The main problem with the mac address is that if a user spoofs the MAC of the controller all APs connected to the controller lost their connection. This might be due to a design flaw (same physical port for guest vlan and controller IP) but I wonder if there is no other configuration / feature which can prevent this.
Enable "Enforce DHCP" was also in my mind but I don't think this will prevent some to spoof its MAC address.
------------------------------
Frederik
Original Message:
Sent: May 24, 2022 01:27 AM
From: husnu demir
Subject: MAC Spoofing Guest Network
Hi,
Interesting question.
You may "Enforce DHCP" and prohibit manual IP Address config. Also, you may assign static IP address to MAC address of your controller. And you may use as cjoseph said "valid user" ACL.
I have not tried it.
Best regards.
------------------------------
husnu demir
Original Message:
Sent: May 23, 2022 02:59 PM
From: Frederik Gagel
Subject: MAC Spoofing Guest Network
Hi all,
I have a question regarding a security mechanism in the guest network. Is it possible to prevent a guest from spoofing the MAC Adress of the controller? Since the controller has a IP address in the guest subnet (for captive portal redirect) a guest device can perform a subnet scan (via App) and can give its client the MAC of the Controller.
By configuring "deny inter user bridging" or "local ARP proxy" the subnet scan result is better (no wifi clients visible) but the controller IP/MAC is still visible (as expected).
Here is the setup (stripped down):
- open guest SSID
- DHCP Scope is on a firewall (behind the controller)
- redirect to a captive portal on CPPM (with data port in the same L2 subnet as guests)
- IP Interface on the controller (also in same VLAN as guests) for the redirect
Is there any chance to achieve this? Is there a feature which I haven't read about / found yet?
Thanks for your help!
------------------------------
Frederik
------------------------------