Security

Hi All,

 

Session management on Clearpass Guest is tied to the clients MAC address which is trivial to spoof. What other methods are there to add more security to guest wireless session management?

 

Cheers

James

JrWhitehead,

 

There is not much more that you can ask a guest for besides a password, that would probably be inconvenient.  You could try to check in the endpoint database if the DHCP fingerprint is the same as last time, but how would you handle that if it changed?

The best solution (although not usually feasible) would be creating
accounts for your secure network and doing role mapping on the back end to
separate the users from corporate users / employees.

Is there any way to check if there is more than 1 instance of a MAC address with different IP addresses assigned to each instance?

 

 

jrwhitehead,

 

MAC/ARP spoofing in the controller would handle that...

Someone is claiming they've got access to a guest network by spoofing a valid clients MAC address.

 

The customer in question has Instant APs.

You could set the Active Sessions value to 1 which would only allow 1 MAC address to connect.

 

In addition, upon successful authentication you could write an attribute to the Endpoint entry which identified the device (this would be better if the device has been profiled - add the Clearpass as a DHCP helper). This would be completed under a custom Enforcement profile.

 

You would then amend the service to check that if the device exists in the Endpoint database, the specific attribute matches otherwise invoke the Deny Access Profile. This would provide only allow 1 MAC address to connect and if this was spoofed then the device type details would have to match as well.

 

I have done similar checks before but not this specific use. Test in a lab if you get chance.

Setting the active session value to 1 wouldn't stop the MAC spoofing if the other client had disconnected.

 

I understand what you're saying about checking and writing detail to the endpoint database but not really sure how I would go about doing it!

 

We are profiling devices so there will already be details in the endpoint repository for all devices that have associated.

If the Aruba controller is classifying devices you could write the Radius:Aruba:Aruba-Device-Type field into an Endpoint attribute and then create a Enforcement policy that says that the Device Type needs to match the Endpoint attribute.

 

This would be a really basic test (i.e. matching 'Win 7' or 'iPhone') but would add some extra checks,

As I said before I haven't tested this so you would need to lab it up first.

I'm still not sure how to do this. 

I've got the devices in the endpoint repository as I'm profiling devices.

 

I'm just unsure how I would check that a associating client (with MAC xx:xx:xx:xx:xx:xx) device type matches the device type of the endpoint repository entry for the same MAC.

 

I can see the following in the access tracker:

 

Radius:Aruba:Aruba-Device-Type

Android

 

This matches the OS family in the Endpoint repository:

 

OS Family

Android

 

Can't for the life of me work out how I check if they match though! I think I need some more training!