Security

Hello all

I have an issue related to Mac spoofing I tried many things to prevent it but the same problem exists.

 we using CPPM ver 6.10.4, using Mac auth-service for APs (enabling authorized-profiling), configured a conflict trigger in policy too, and reduced endpoint DB time for the cache to 5 seconds, CPPM could profile good but when spoofing on AP's Mac and use it through my laptop I find the laptop authenticated with AP profile!!  and conflict trigger doesn't work as CPPM didn't catch it to deny. I just found an alert for conflict in endpoint DB.

how can I make CPPM prevent Spoofing?

Hi

Do you have the enforcement configured to deny access based on this condition:

(Authorization:[Endpoints Repository]:Conflict  EQUALS  true)

If this doesn't work try to change the Endpoint DB cache to 0.

I have the solution working with the setting above. Also remember to have the conflict detection rule first in the Enforcement policy

Hello all

I have an issue related to Mac spoofing I tried many things to prevent it but the same problem exists.

 we using CPPM ver 6.10.4, using Mac auth-service for APs (enabling authorized-profiling), configured a conflict trigger in policy too, and reduced endpoint DB time for the cache to 5 seconds, CPPM could profile good but when spoofing on AP's Mac and use it through my laptop I find the laptop authenticated with AP profile!!  and conflict trigger doesn't work as CPPM didn't catch it to deny. I just found an alert for conflict in endpoint DB.

how can I make CPPM prevent Spoofing?

hi Jonas,

I tried it with many changes too but not working.

Hi

Do you have the enforcement configured to deny access based on this condition:

(Authorization:[Endpoints Repository]:Conflict  EQUALS  true)

If this doesn't work try to change the Endpoint DB cache to 0.

I have the solution working with the setting above. Also remember to have the conflict detection rule first in the Enforcement policy

Hello all

I have an issue related to Mac spoofing I tried many things to prevent it but the same problem exists.

 we using CPPM ver 6.10.4, using Mac auth-service for APs (enabling authorized-profiling), configured a conflict trigger in policy too, and reduced endpoint DB time for the cache to 5 seconds, CPPM could profile good but when spoofing on AP's Mac and use it through my laptop I find the laptop authenticated with AP profile!!  and conflict trigger doesn't work as CPPM didn't catch it to deny. I just found an alert for conflict in endpoint DB.

how can I make CPPM prevent Spoofing?

Hello all

I have an issue related to Mac spoofing I tried many things to prevent it but the same problem exists.

 we using CPPM ver 6.10.4, using Mac auth-service for APs (enabling authorized-profiling), configured a conflict trigger in policy too, and reduced endpoint DB time for the cache to 5 seconds, CPPM could profile good but when spoofing on AP's Mac and use it through my laptop I find the laptop authenticated with AP profile!!  and conflict trigger doesn't work as CPPM didn't catch it to deny. I just found an alert for conflict in endpoint DB.

how can I make CPPM prevent Spoofing?

First of all, only use MAC authentication when some other authentication cannot be used.. Ideally you manage the clients and turn off MAC Address randomization.

I believe you should be able to deny MAC Address randomization with a role mapping rule.

We currently detect randomized MACs with this rule: (Connection:Client-Mac-Address-Colon  MATCHES_REGEX  ^.[26aeAE])

Hello all

I have an issue related to Mac spoofing I tried many things to prevent it but the same problem exists.

 we using CPPM ver 6.10.4, using Mac auth-service for APs (enabling authorized-profiling), configured a conflict trigger in policy too, and reduced endpoint DB time for the cache to 5 seconds, CPPM could profile good but when spoofing on AP's Mac and use it through my laptop I find the laptop authenticated with AP profile!!  and conflict trigger doesn't work as CPPM didn't catch it to deny. I just found an alert for conflict in endpoint DB.

how can I make CPPM prevent Spoofing?

Hello all

I have an issue related to Mac spoofing I tried many things to prevent it but the same problem exists.

 we using CPPM ver 6.10.4, using Mac auth-service for APs (enabling authorized-profiling), configured a conflict trigger in policy too, and reduced endpoint DB time for the cache to 5 seconds, CPPM could profile good but when spoofing on AP's Mac and use it through my laptop I find the laptop authenticated with AP profile!!  and conflict trigger doesn't work as CPPM didn't catch it to deny. I just found an alert for conflict in endpoint DB.

how can I make CPPM prevent Spoofing?