Security

for devices having no certificate like printers ,and which can be authenticated purely on basis of mac address

the mac address can be easily spoofed . what protection against those cppm can provide ?

 

Any article or config which can help . i know there is no control on client to change the mac address . 

If a printer is connected to the network it be profiled if everything is configured correctly. Now if someone tries to spoof the MAC of the printer when that device is profiled and it is classified with a different device category the conflict attribute will be set in the endpoint repository. This can be used in enforcement to take actions on devices in this situation.

Now remember when relying completely on Mac Auth you should be writing policies and taking that level of trust into account.

Hi,

 

take a look into "ClearPass Solution Guide: Wired Policy Enforcement" written bei Tim Cappalli.

 

At the beginning you'll find a diagramm, showing which method provides what security level and how much effort it is to configure.

 

Also the profiling solution as mentioned by "jpearcy00" is described there, including configuration examples for different switch families.

 

Regards, Jö

Hello ,

 

I understand about conflict attribute .

 

I have two queries :

 

1)When a device is profiled , it goes to endpoint database and till what time the profiled info remains in clearpass endpoint DB ? The point is if i connect as a Computer and tommorrow i connect as a Printer with mac sppofing , clearpasss has the old info of profile ? and for how much long duration it can keep it ?

 

2) if i connect with same Vendor and OS type from another machine and spoof the mac address ,will clearpass detect it ? 

The idea of profiling is that you detect the device type. So if you attach a similar device, like another HP printer if you are profiling HP printers to get into the printer VLAN, it will get the same access. What you should probably do for devices that get access only based on profiling is to limit the access. For printers, make sure that the provided access only allows printing (and monitoring). For IP Phones, make sure that it only can call with the VLAN/role/dACLs applied. In that case, you can at least limit the risk for possible spoofed devices. If you need more, or more privileged access, just using MAC authentication and profiling may not provide enough confidence and you might need to apply other security controls like physical security, or stronger authentication methods.

Hello Herman,

 

Thanks for your response

 

about my initial query . till what duration clearpass keeps the profling data in endpoint database  . or does it keep forever ? if i spoof and connect after 1 month , will it detect ? 

Unless you clean-up the endpoint database, the profiling data will be kept forever.

I tried out the conflict option.

But if i connect a notebook - with a spoofed mac address of a know printer the whole endpoint entry in the repository gets the data of my notebook.

 

No conflict is triggerd and there is only one endpoint with the MAC.

Is there anything special to configure in profile-options?

There has to be a minimum of 10 minutes between the first client profiled and the spoofed device. 

 

I have tried this myself before with clearpass 6.7 but there is an issue that the confict trigger is not processed. So TAC told me to wait for 6.8 where this is fixed.

5 minutes, not 10 and there is no change in this behavior in 6.8.

Between devices reconnections there is some time in between before profiling is triggered again.

If you reconnect to fast after a success profiling (within 1 minute or so) profiling didnt happend again. So there is no conflict detected.

It isnt waterproof;) mac-spoofing should be always concerned when use mac-auth, even with profiling.

Think also about protection of your printer vlan by your firewall. So only the printserver should contact your printers (as example).