[EXTERNAL] How mitigate mac spoofing in mab

Carlos Bordon cgermanb at live.com.ar
Fri Feb 8 18:58:05 CET 2019


The second thing you can do is on the FreeRADIUS side, which is to use a Simultaneous Use
database to prevent MAB requests from different ports at near the same time
from being accepted.  However, this can be problematic.  If you are updating the
Simultaneous Use database based on edge switch Accounting packets, then the
edge switch may leave stale sessions open and continue to send updates after a host
is unplugged and moved by the user to another port... especially if a minihub has
been attached to the network and the link stays up.  Then when the user gets to the
place they have moved, they cannot get on the network because Simultaneous Use
thinks they are an imposter.

this is great!
how can I do this?

Thanks!

________________________________
De: Freeradius-Users <freeradius-users-bounces+cgermanb=live.com.ar at lists.freeradius.org> en nombre de Brian Julin <BJulin at clarku.edu>
Enviado: jueves, 7 de febrero de 2019 17:20
Para: freeradius-users at lists.freeradius.org
Asunto: Re: [EXTERNAL] How mitigate mac spoofing in mab


Carlos Bordon <cgermanb at live.com.ar> wrote:

> I have ine server with freeradius, other with dhcp and they are connect to cisco 6800 swicht. We aunthenticate the endpoint with mab, because we cant use 802.1x. the problem that i want to resolve is to mitigate mac spoofing on layer two.
> For us is the same mitigate the problem on the radius or the swicht config.

With MAB there is absolutely no way to tell if the host using a MAC address
is the actual host that has that burned-in-address (BIA).

There are a few things you can do.

First, use IP DHCP snooping and ARP inspection features on the edge switch.
This will at least keep one host from spoofing many IP or MAC addresses without
doing a DHCP transaction for each address, which slows an attacker down.
You can also use edge switch port security features to limit the number of
MAC addresses allowed on a single port to something reasonable.
(While you are at it, see if you also have features to prevent DHCP starvation.)

The second thing you can do is on the FreeRADIUS side, which is to use a Simultaneous Use
database to prevent MAB requests from different ports at near the same time
from being accepted.  However, this can be problematic.  If you are updating the
Simultaneous Use database based on edge switch Accounting packets, then the
edge switch may leave stale sessions open and continue to send updates after a host
is unplugged and moved by the user to another port... especially if a minihub has
been attached to the network and the link stays up.  Then when the user gets to the
place they have moved, they cannot get on the network because Simultaneous Use
thinks they are an imposter.

You have to check the behavior of your edge switches and do a lot of testing to
make sure that this will work without problems.


-
List info/subscribe/unsubscribe? See https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7Cbjulin%40clarku.edu%7Cde5fbe120aad4dc42cb908d68d385551%7Cb5b2263d68aa453eb972aa1421410f80%7C1%7C1%7C636851670434206702&sdata=3LeffAboqhJgk5s%2Brs7hJav0ZZ47RNF6C3juRjRj%2BS8%3D&reserved=0

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list