hi , This is a very basic thing that can be handled with some efforts :- When you are not in position to use 802.1x ( which is also not a vulernable proof to spoofing attacks ) . Use MAB as a auth mechanism but dont make it a requirement to authentication but not the only condition to authenticate . After MAB success you have to use upper layer to mitigate the Mac spoofing, use MOD_AUTH_RADIUS https://freeradius.org/sub_projects/ . ( link to the mod ) Now you can use apache ( webserver as radius client ) now bind certain vulernable easy to spoof parametres to cookies and sent it as cookies to the browser this way your mab can be authenticated in itself . i.e.. consider only the clients with this cookies as the authentic holder of that mac . This will helo you By using simultaneous use and all you will find yourself in trouble while implementing roaming ( i faced it ) On Fri, Feb 8, 2019 at 1:42 AM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 7, 2019, at 3:10 PM, Carlos Bordon <cgermanb@live.com.ar> wrote:
Hi! i have a problem with this vulnerability, i need mitigate it.
I have ine server with freeradius, other with dhcp and they are connect
to cisco 6800 swicht. We aunthenticate the endpoint with mab, because we cant use 802.1x. the problem that i want to resolve is to mitigate mac spoofing on layer two.
For us is the same mitigate the problem on the radius or the swicht config.
Do you guys know any idea?
Use 802.1X.
The MAC address can always be spoofed on the client machine.
If you can't use 802.1X, then you need to track known MAC addresses. And if a MAC is online, disallow the same MAC from getting on the network again.
There's really very little you can do with unsecured and unsafe network protocols.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html