[EXTERNAL] How mitigate mac spoofing in mab

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Feb 26 04:12:36 CET 2019



> On Feb 9, 2019, at 1:58 AM, Carlos Bordon <cgermanb at live.com.ar> wrote:
> 
> 
> The second thing you can do is on the FreeRADIUS side, which is to use a Simultaneous Use
> database to prevent MAB requests from different ports at near the same time
> from being accepted.  However, this can be problematic.  If you are updating the
> Simultaneous Use database based on edge switch Accounting packets, then the
> edge switch may leave stale sessions open and continue to send updates after a host
> is unplugged and moved by the user to another port... especially if a minihub has
> been attached to the network and the link stays up.  Then when the user gets to the
> place they have moved, they cannot get on the network because Simultaneous Use
> thinks they are an imposter.
> 
> this is great!
> how can I do this?

So you read all the caveats and ways it can break and you're still enthusiastic? I feel for your users.

-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20190226/a66585dd/attachment.sig>


More information about the Freeradius-Users mailing list