Frequent Contributor II

Enforcement Based on DHCP?

Curious if there is a way in ClearPass to shut a Cisco wired port down if a connection is being made with a device that is statically IP'd instead of participating in DHCP.  Is the logic built in to ClearPass to create policy around DHCP/non-DHCP, or has anyone built this in their environment?  


The reason I'm asking is we had a pen tester get right on our network with a Linux box spoofing the MAC of a Cisco Voip phone.  After working with TAC it appears ClearPass never saw the DHCP request from the Linux box acting as a phone, so it MAC auth'd and the conflict flag was never marked as true. No DHCP options were received from the Linux box for it to be fingerprinted, so it let it on.  The pen tester either has logic built into their spoofing tool that prohibits particular DHCP options to be sent so it can't be had a static address and DHCP was not even used.

I'd like to build an enforcement policy that says if you do not use DHCP your port is shut down.  We have zero static IP's in our user environment, so this would eliminate the scenario we experienced.  

Frequent Contributor I

Re: Enforcement Based on DHCP?

You can prevent static ips by using the Catalyst switch alone.

No need to involve ClearPass.

Have a look at DHCP Snooping and IP Source Guard.


A competent pen tester will still be able to pass through it by listening to the dhcp request (to get all the options and classes)  and cloning the MAC.

If you want some real security you must go with 802.1x.



Frequent Contributor I

Re: Enforcement Based on DHCP?

As a pen tester, getting into a network with legacy devices after having physical access to the premises is not such a huge success in itself. Actually, you should always expect this result when using mac auth, as it is not a strong security measure (if at all). But the pen tester still have to find a way to do something harmful with that access.

To prevent some harm, for all those devices that are limited to MAB you should set a restrictive ACL that only allows them to access the minimum services they need to do their work. For a phone, you would open only the SIP Server and DNS. For a printer, you enable access to from the print server. Etc. Then, maybe set up a PVLAN and enable Dynamic ARP Inspection to prevent the attacker to access other devices in the same vlan/l2 network.

Then follow the best pratices to configure your servers. Keep them patched, use proper password and strong keys or 2FA, fail2ban, and the likes. 


For everything that supports dot1x, just use it.


If you want to spend some money, you can also invest into some user behaviour monitoring tool like Introspect, that would probably alert you when that spoofed "phone" would start doing unusual portscans or uploading stuff to the internet. Then you could feed that event to ClearPass and shut the port down.

Frequent Contributor II

Re: Enforcement Based on DHCP?

Thank you for taking the time to provide such great information.  Much appreciated.

Search Airheads
Showing results for 
Search instead for 
Did you mean: