Security

before i start building it id check if someone knows this for sure. the problem with MAC authentication is MAC spoofing. does the Endpoint database help here? i mean what happens when i login with a two devices with the same MAC but with clearly different OSes (Linux / Win / Mac) do two different end points end up in the database, or does one overwrite the other?

Yes!!!  We create a conflict condition if say a HP Printer (originally profiled) starts showing up as a Debian Linux device.  We can catch this and flag it as a "conflict" and based on that state you can trigger a deny or CoA termination to the network.

that sounds quite good, does that mean it stays one entry with an extra flag or do multiple MAC entries get created?

So in the latest CPPM 6.2.3.57998, "conflict" has been removed. Is there an ETA when it will be re-added?

hadnt even noticed, been working on getting mac spoof detection working for months now, no luck. personally im starting to feel it doesnt work (anymore) and there doesnt appear to be any interest in getting it to work.

of course it is nothing more then a nice gimmick, even if the functionality would work in clearpass there are too many ways to bypass it.

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Device-conflict/td-p/201891