Wireless Access

 View Only
last person joined: 19 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

MAC Spoofing Guest Network

This thread has been viewed 30 times
  • 1.  MAC Spoofing Guest Network

    Posted May 23, 2022 03:00 PM

    Hi all,


    I have a question regarding a security mechanism in the guest network. Is it possible to prevent a guest from spoofing the MAC Adress of the controller? Since the controller has a IP address in the guest subnet (for captive portal redirect) a guest device can perform a subnet scan (via App) and can give its client the MAC of the Controller.
    By configuring "deny inter user bridging" or "local ARP proxy" the subnet scan result is better (no wifi clients visible) but the controller IP/MAC is still visible (as expected).

    Here is the setup (stripped down):
    - open guest SSID
    - DHCP Scope is on a firewall (behind the controller)
    - redirect to a captive portal on CPPM (with data port in the same L2 subnet as guests)
    - IP Interface on the controller (also in same VLAN as guests) for the redirect

    Is there any chance to achieve this? Is there a feature which I haven't read about / found yet? 

    Thanks for your help!



    ------------------------------
    Frederik
    ------------------------------


  • 2.  RE: MAC Spoofing Guest Network

    EMPLOYEE
    Posted May 23, 2022 06:40 PM
    You could use the valid user acl to block the ip address of the controller on that subnet:  https://community.arubanetworks.com/blogs/arunkumar1/2014/07/02/what-is-validuser-acl-and-its-uses

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: MAC Spoofing Guest Network

    Posted May 24, 2022 01:28 AM
    Hi,

    Interesting question.

    You may "Enforce DHCP" and prohibit manual IP Address config. Also, you may assign static IP address to MAC address of your  controller.  And you may use as cjoseph said "valid user" ACL.

    I have not tried it.

    Best regards.

    ------------------------------
    husnu demir
    ------------------------------



  • 4.  RE: MAC Spoofing Guest Network

    Posted May 24, 2022 02:28 AM

    hi,

    thanks for your answers. 

    The problem I ran into wasn't the access / reachability of the vlan Interface address of the controller. I know that there are ways to limit or block access to it. My problem is that a guest user can perform a subnet scan (even in pre-auth role) -> is there a way to block that?  When Deny Inter User bridging is enabled a subnet scan in pre-auth-role results in getting back the client, controller and gateway mac (no other wireless user is found) -> so far so good :)

    The main problem with the mac address is that if a user spoofs the MAC of the controller all APs connected to the controller lost their connection. This might be due to a design flaw (same physical port for guest vlan and controller IP) but I wonder if there is no other configuration / feature which can prevent this.

    EDIT:

    I was trying to add a seperate interface for the guest traffic but that didn't change anything. What's new to me that the controller have the same MAC for all interfaces? Even if it's a seperate physical interface?!

    Enable "Enforce DHCP" was also in my mind but I don't think this will prevent some to spoof its MAC address.

    ------------------------------
    Frederik
    ------------------------------



  • 5.  RE: MAC Spoofing Guest Network

    Posted May 24, 2022 02:48 AM
    To prevent MAC spoofing, DAI, Dynamic ARP Inspection is the correct way. I thoutht that "enforce dhcp" will do that. 

    Perhaps you should move routing to more advance place.. Also,

    Controller may have options on firewall 

    with "Prevent DHCP exhaustion", "Prohibit IP spoofing" and "Prohibit ARP spoofing". They may help..

    "https://www.arubanetworks.com/techdocs/ArubaOS_62_Web_Help/Content/ArubaFrameStyles/Firewall_Roles/Global_Firewall_Paramete.htm"

    Best regards.


    ------------------------------
    husnu demir
    ------------------------------



  • 6.  RE: MAC Spoofing Guest Network

    Posted May 24, 2022 04:21 AM

    hey hdemir,

    unfortunately none of the settings help to prevent a user from spoofing its MAC address...

    Right now I'm testing some workaround. I try to block the spoofed MAC address in the MAC Auth service in CPPM while connecting to the wifi infrastructure... Let's see...



    ------------------------------
    Frederik
    ------------------------------



  • 7.  RE: MAC Spoofing Guest Network

    EMPLOYEE
    Posted May 24, 2022 04:33 AM
    yes you can use ClearPass to do that. there is a Endpoint attribute called "conflict" that you need to check in your enforcement policy.
    The assumption is that you have configured and enabled ClearPass profiling.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------