Enterprise Lockdown

Occasional Contributor II

How does ARP Spoofing Work?


How does prevent arp spoofing work exactly? I just spent the last several hours knocking one users spoofed arp after another. it doesn't appear to be working as I know they don't have 15 different nic's in their apartment all 1 integer from one another.

(wlc01-lax01) #show ap blacklist-clients | include 9e
9e:26:33:80:9d:11 user-defined 113775 Permanent
9e:26:33:80:9d:13 user-defined 2205 Permanent
9e:26:33:80:9d:14 user-defined 1365 Permanent
9e:26:33:80:9d:15 user-defined 1350 Permanent
9e:26:33:80:9d:16 user-defined 1350 Permanent
9e:26:33:80:9d:17 user-defined 1345 Permanent
9e:26:33:80:9d:18 user-defined 1345 Permanent
9e:26:33:80:9d:01 user-defined 349815 Permanent
9e:26:33:80:9d:19 user-defined 1340 Permanent
9e:26:33:80:90:15 user-defined 545 Permanent

Employees who are willing to spoof mac addresses to get online probably have other issues or have a great deal of time on their hands.

If an employee just simply wants internet on his personal machine, you can make it so that the user authentication default role switches users who have not machine authenticated to the guest VLAN and authenticated guest role so that they can get on. This means that if I have an iPhone and I authenticate successfully to the employee SSID, I will get free internet in exchange for my employee username and password. I will have full access to the internet, on the guest VLAN, but Zero access to the infrastructure. You can also prevent ARP spoofing so that users who try to get on with another user's MAC address while the user is on, will be denied. You can also decrease the machine authentication cache timeout so that those entries can be removed sooner rather than later, so the window to attempt mac spoofing is even smaller. You can also only permit wireless authentication to users in particular groups in IAS, so that unauthorized users will not be able to get on with ANY device. For users that you think engage in the practice of spoofing their mac address, you can also tie a wireless MAC address to their active directory account like here: http://blogs.technet.com/nap/archive/2006/09/08/454705.aspx You can also switch to EAP-TLS so that users will have to have a valid company-issued certificate before they can connect with a device.

If you have Airwave and you suspect that a user is mac spoofing or a device has been spoofed, it is very easy to run a report to see if that activity is taking place and you can remove that user from the wireless group that is allowed to connect.

Enforce machine authentication is only a single tool out of several that administrators have to enforce access on the wireless network. The more tools that are used decreases the likelihood that unauthorized users or devices will be able to connect to the wireless network with unauthorized devices.

Guru Elite

Re: How does ARP Spoofing Work?

Turn on user debugging to see what is going on:

config t
logging level debug user
show log user 50

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
Showing results for 
Search instead for 
Did you mean: