Trusted Contributor I

MAC spoofing protection not working

a while ago i checked about MAC spoofing protection, recently i had some time to test it out but it doesnt function as hoped.


im testing with fixed device which is profiled (IP helper set to clearpass) correctly, then i take my laptop with the linux backtrack distribution spoof the MAC and try to authenticate, both use DHCP.


two things are unclear / broken for me.


1) how do i act on device conflict? i can't turn on the profiling tab, set it to CoA disconnect when status is conflict. but nowhere i can find when this conflict condition occurs. i had expected to see something in the endpoint database but there i find nothing. it also doesn't seem to work, but the reason is unclear, doesn't a conflict occur or is it something else?


2) when i start with the linux laptop and afterwards plugin the other device the entry in the endpoint database is updated correctly (all fields i mean, hostname, category and such, no mention of conflict, the entry is just "overwritten"). but when i start with the other device and then the linux laptop only the hostname changes, the rest like the OS and type remain the original one. to me this is not expect behavior right? anyone ran into a bug here?

Re: MAC spoofing protection not working

I will have to test this in my lab when I get back and get back to you. 


Your enforcement policy should have a condition stating something like what I have below, but in my example Im putting the device in a dead end vlan instead of a reject. If I send a reject the user or device could just keep trying to connect and get rejected. This way I can control the user after they try to trick the system.





Thank You,

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Trusted Contributor I

Re: MAC spoofing protection not working

thanks tarnold, your rule makes sense but again is based on the conflict category which i can't seem to get in the end point database. not even when changing from a linux laptop to the device we use, pretty much everything but the MAC changes, still there is no hint of a conflict.

Trusted Contributor I

Re: MAC spoofing protection not working

also opened a ticket with support, they told me to enable the audit tab. done this and see the nmap scan happening, but no further effect. i also fail to see anywhere what the result is.


i found the ancient document on the support site, but i fails to connect all the dots:

Regular Contributor I

Re: MAC spoofing protection not working

boneyard - have you gotten anywhere with your case? I'm running into the same issue. 


Trusted Contributor I

Re: MAC spoofing protection not working

not yet, support is working on it. if it gets worked out ill certainly report back here.


as i said, audit needs to be turned on and the devices need to be audited correctly, the policy simulation is the way to test this.


in the mean time im certainly interested in people who have made this work at some time.

Trusted Contributor I

Re: MAC spoofing protection not working

so, three months later and still not working.


went from audit to profiling and back to audit, but not succes. it seems we are close because the scan and / or profiling does detect different devices, clearpass just doesnt act on it.


seeing how this doesnt pick up any replies makes me believe no one is using it anyway :)

Re: MAC spoofing protection not working

Boneyard - I know this is an old thread, but ever come up with a fix for this?

Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Trusted Contributor I

Re: MAC spoofing protection not working

it has been some time ago but i believe the was a bug which was fixed in later versions. so the original suggestion from tarnold with the conflict category should work now. im not sure if i ever gotten around to test it later on. i have a PoC coming up soon and will see if i can slip this in :)

Trusted Contributor I

Re: MAC spoofing protection not working

for me the conflict status doesn't work, but i might be using it wrong, i posted my reply in the thread below and will continue updates there:

Search Airheads
Showing results for 
Search instead for 
Did you mean: