Wireless Access

 View Only
Expand all | Collapse all

MAC Spoofing Guest Network

This thread has been viewed 60 times
  • 1.  MAC Spoofing Guest Network

    Posted May 23, 2022 03:00 PM

    Hi all,


    I have a question regarding a security mechanism in the guest network. Is it possible to prevent a guest from spoofing the MAC Adress of the controller? Since the controller has a IP address in the guest subnet (for captive portal redirect) a guest device can perform a subnet scan (via App) and can give its client the MAC of the Controller.
    By configuring "deny inter user bridging" or "local ARP proxy" the subnet scan result is better (no wifi clients visible) but the controller IP/MAC is still visible (as expected).

    Here is the setup (stripped down):
    - open guest SSID
    - DHCP Scope is on a firewall (behind the controller)
    - redirect to a captive portal on CPPM (with data port in the same L2 subnet as guests)
    - IP Interface on the controller (also in same VLAN as guests) for the redirect

    Is there any chance to achieve this? Is there a feature which I haven't read about / found yet? 

    Thanks for your help!



    ------------------------------
    Frederik
    ------------------------------


  • 2.  RE: MAC Spoofing Guest Network

    Posted May 23, 2022 06:40 PM
    You could use the valid user acl to block the ip address of the controller on that subnet:  https://community.arubanetworks.com/blogs/arunkumar1/2014/07/02/what-is-validuser-acl-and-its-uses

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: MAC Spoofing Guest Network

    Posted May 24, 2022 01:28 AM
    Hi,

    Interesting question.

    You may "Enforce DHCP" and prohibit manual IP Address config. Also, you may assign static IP address to MAC address of your  controller.  And you may use as cjoseph said "valid user" ACL.

    I have not tried it.

    Best regards.

    ------------------------------
    husnu demir
    ------------------------------



  • 4.  RE: MAC Spoofing Guest Network

    Posted May 24, 2022 02:28 AM
    Edited by FreddyG May 24, 2022 03:04 AM

    hi,

    thanks for your answers. 

    The problem I ran into wasn't the access / reachability of the vlan Interface address of the controller. I know that there are ways to limit or block access to it. My problem is that a guest user can perform a subnet scan (even in pre-auth role) -> is there a way to block that?  When Deny Inter User bridging is enabled a subnet scan in pre-auth-role results in getting back the client, controller and gateway mac (no other wireless user is found) -> so far so good :)

    The main problem with the mac address is that if a user spoofs the MAC of the controller all APs connected to the controller lost their connection. This might be due to a design flaw (same physical port for guest vlan and controller IP) but I wonder if there is no other configuration / feature which can prevent this.

    EDIT:

    I was trying to add a seperate interface for the guest traffic but that didn't change anything. What's new to me that the controller have the same MAC for all interfaces? Even if it's a seperate physical interface?!

    Enable "Enforce DHCP" was also in my mind but I don't think this will prevent some to spoof its MAC address.

    ------------------------------
    Frederik
    ------------------------------



  • 5.  RE: MAC Spoofing Guest Network

    Posted May 24, 2022 02:48 AM
    Edited by hdemir May 24, 2022 02:56 AM
    To prevent MAC spoofing, DAI, Dynamic ARP Inspection is the correct way. I thoutht that "enforce dhcp" will do that. 

    Perhaps you should move routing to more advance place.. Also,

    Controller may have options on firewall 

    with "Prevent DHCP exhaustion", "Prohibit IP spoofing" and "Prohibit ARP spoofing". They may help..

    "https://www.arubanetworks.com/techdocs/ArubaOS_62_Web_Help/Content/ArubaFrameStyles/Firewall_Roles/Global_Firewall_Paramete.htm"

    Best regards.


    ------------------------------
    husnu demir
    ------------------------------



  • 6.  RE: MAC Spoofing Guest Network

    Posted May 24, 2022 04:21 AM

    hey hdemir,

    unfortunately none of the settings help to prevent a user from spoofing its MAC address...

    Right now I'm testing some workaround. I try to block the spoofed MAC address in the MAC Auth service in CPPM while connecting to the wifi infrastructure... Let's see...



    ------------------------------
    Frederik
    ------------------------------



  • 7.  RE: MAC Spoofing Guest Network

    Posted May 24, 2022 04:33 AM
    yes you can use ClearPass to do that. there is a Endpoint attribute called "conflict" that you need to check in your enforcement policy.
    The assumption is that you have configured and enabled ClearPass profiling.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 8.  RE: MAC Spoofing Guest Network

    Posted Nov 28, 2023 04:36 PM

    Hi Frederik,

    to my knowledge it should be possible to remove the controller interface in the guest vlan completely. You just need to make sure, that at least one interface of the controller is reachable using the firewall. This will at least solve the Mac spoofing issue. 

    BR

    Florian



    ------------------------------
    -------------------------------------------------------------------------------
    Florian Baaske
    -------------------------------------------------------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    -------------------------------------------------------------------------------
    Also visit the AirHeads Youtube Channel:
    https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
    -------------------------------------------------------------------------------
    Feel free to visit my personal Blog
    https://www.flomain.de
    ------------------------------



  • 9.  RE: MAC Spoofing Guest Network

    Posted Nov 30, 2023 11:06 AM

    Depends on traffic flow, removing the IP interface requires enabling tri-session with DNAT.  That can result in an asymmetric traffic flow that firewalls tend to choke on.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 10.  RE: MAC Spoofing Guest Network

    Posted Mar 04, 2024 09:31 AM

    Sorry that I come up with the same question again, but the problem is still around.
    If a user spoofs the MAC of the controller in the guest network, then all of the AP tunnels will go down as well.
    I'm not quite sure, if I am the only guy around with this behaviour or problem but I think this should not be possible and is a bit of a security risk.



    ------------------------------
    Frederik
    ------------------------------



  • 11.  RE: MAC Spoofing Guest Network

    Posted Mar 04, 2024 12:03 PM

    If you are seeing issues as described, please open a case with TAC for further investigation.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------