Security

Reply
Occasional Contributor II

Mac spoofing

for devices having no certificate like printers ,and which can be authenticated purely on basis of mac address

the mac address can be easily spoofed . what protection against those cppm can provide ?

 

Any article or config which can help . i know there is no control on client to change the mac address . 

Contributor I

Re: Mac spoofing

If a printer is connected to the network it be profiled if everything is configured correctly. Now if someone tries to spoof the MAC of the printer when that device is profiled and it is classified with a different device category the conflict attribute will be set in the endpoint repository. This can be used in enforcement to take actions on devices in this situation.

Now remember when relying completely on Mac Auth you should be writing policies and taking that level of trust into account.
Highlighted
MVP Expert
MVP Expert

Re: Mac spoofing

Hi,

 

take a look into "ClearPass Solution Guide: Wired Policy Enforcement" written bei Tim Cappalli.

 

At the beginning you'll find a diagramm, showing which method provides what security level and how much effort it is to configure.

 

Also the profiling solution as mentioned by "jpearcy00" is described there, including configuration examples for different switch families.

 

Regards, Jö

Please give kudos, if you like my post.
Please Accept as solution, if my post was helpful.
Occasional Contributor II

Re: Mac spoofing

Hello ,

 

I understand about conflict attribute .

 

I have two queries :

 

1)When a device is profiled , it goes to endpoint database and till what time the profiled info remains in clearpass endpoint DB ? The point is if i connect as a Computer and tommorrow i connect as a Printer with mac sppofing , clearpasss has the old info of profile ? and for how much long duration it can keep it ?

 

2) if i connect with same Vendor and OS type from another machine and spoof the mac address ,will clearpass detect it ? 

MVP Guru

Re: Mac spoofing

The idea of profiling is that you detect the device type. So if you attach a similar device, like another HP printer if you are profiling HP printers to get into the printer VLAN, it will get the same access. What you should probably do for devices that get access only based on profiling is to limit the access. For printers, make sure that the provided access only allows printing (and monitoring). For IP Phones, make sure that it only can call with the VLAN/role/dACLs applied. In that case, you can at least limit the risk for possible spoofed devices. If you need more, or more privileged access, just using MAC authentication and profiling may not provide enough confidence and you might need to apply other security controls like physical security, or stronger authentication methods.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor II

Re: Mac spoofing

Hello Herman,

 

Thanks for your response

 

about my initial query . till what duration clearpass keeps the profling data in endpoint database  . or does it keep forever ? if i spoof and connect after 1 month , will it detect ? 

MVP Guru

Re: Mac spoofing

Unless you clean-up the endpoint database, the profiling data will be kept forever.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Contributor I

Re: Mac spoofing

I tried out the conflict option.

But if i connect a notebook - with a spoofed mac address of a know printer the whole endpoint entry in the repository gets the data of my notebook.

 

No conflict is triggerd and there is only one endpoint with the MAC.

Is there anything special to configure in profile-options?

MVP
MVP

Re: Mac spoofing

Between devices reconnections there is some time in between before profiling is triggered again.

If you reconnect to fast after a success profiling (within 1 minute or so) profiling didnt happend again. So there is no conflict detected.

It isnt waterproof;) mac-spoofing should be always concerned when use mac-auth, even with profiling.

Think also about protection of your printer vlan by your firewall. So only the printserver should contact your printers (as example).
Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
Frequent Contributor I

Re: Mac spoofing

There has to be a minimum of 10 minutes between the first client profiled and the spoofed device. 

 

I have tried this myself before with clearpass 6.7 but there is an issue that the confict trigger is not processed. So TAC told me to wait for 6.8 where this is fixed.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: