Hi! i have a problem with this vulnerability, i need mitigate it. I have ine server with freeradius, other with dhcp and they are connect to cisco 6800 swicht. We aunthenticate the endpoint with mab, because we cant use 802.1x. the problem that i want to resolve is to mitigate mac spoofing on layer two. For us is the same mitigate the problem on the radius or the swicht config. Do you guys know any idea? Best regards, Say hi for your sisters!
On Feb 7, 2019, at 3:10 PM, Carlos Bordon <cgermanb@live.com.ar> wrote:
Hi! i have a problem with this vulnerability, i need mitigate it.
I have ine server with freeradius, other with dhcp and they are connect to cisco 6800 swicht. We aunthenticate the endpoint with mab, because we cant use 802.1x. the problem that i want to resolve is to mitigate mac spoofing on layer two. For us is the same mitigate the problem on the radius or the swicht config.
Do you guys know any idea?
Use 802.1X. The MAC address can always be spoofed on the client machine. If you can't use 802.1X, then you need to track known MAC addresses. And if a MAC is online, disallow the same MAC from getting on the network again. There's really very little you can do with unsecured and unsafe network protocols. Alan DeKok.
hi , This is a very basic thing that can be handled with some efforts :- When you are not in position to use 802.1x ( which is also not a vulernable proof to spoofing attacks ) . Use MAB as a auth mechanism but dont make it a requirement to authentication but not the only condition to authenticate . After MAB success you have to use upper layer to mitigate the Mac spoofing, use MOD_AUTH_RADIUS https://freeradius.org/sub_projects/ . ( link to the mod ) Now you can use apache ( webserver as radius client ) now bind certain vulernable easy to spoof parametres to cookies and sent it as cookies to the browser this way your mab can be authenticated in itself . i.e.. consider only the clients with this cookies as the authentic holder of that mac . This will helo you By using simultaneous use and all you will find yourself in trouble while implementing roaming ( i faced it ) On Fri, Feb 8, 2019 at 1:42 AM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 7, 2019, at 3:10 PM, Carlos Bordon <cgermanb@live.com.ar> wrote:
Hi! i have a problem with this vulnerability, i need mitigate it.
I have ine server with freeradius, other with dhcp and they are connect
to cisco 6800 swicht. We aunthenticate the endpoint with mab, because we cant use 802.1x. the problem that i want to resolve is to mitigate mac spoofing on layer two.
For us is the same mitigate the problem on the radius or the swicht config.
Do you guys know any idea?
Use 802.1X.
The MAC address can always be spoofed on the client machine.
If you can't use 802.1X, then you need to track known MAC addresses. And if a MAC is online, disallow the same MAC from getting on the network again.
There's really very little you can do with unsecured and unsafe network protocols.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Carlos Bordon <cgermanb@live.com.ar> wrote:
I have ine server with freeradius, other with dhcp and they are connect to cisco 6800 swicht. We aunthenticate the endpoint with mab, because we cant use 802.1x. the problem that i want to resolve is to mitigate mac spoofing on layer two. For us is the same mitigate the problem on the radius or the swicht config.
With MAB there is absolutely no way to tell if the host using a MAC address is the actual host that has that burned-in-address (BIA). There are a few things you can do. First, use IP DHCP snooping and ARP inspection features on the edge switch. This will at least keep one host from spoofing many IP or MAC addresses without doing a DHCP transaction for each address, which slows an attacker down. You can also use edge switch port security features to limit the number of MAC addresses allowed on a single port to something reasonable. (While you are at it, see if you also have features to prevent DHCP starvation.) The second thing you can do is on the FreeRADIUS side, which is to use a Simultaneous Use database to prevent MAB requests from different ports at near the same time from being accepted. However, this can be problematic. If you are updating the Simultaneous Use database based on edge switch Accounting packets, then the edge switch may leave stale sessions open and continue to send updates after a host is unplugged and moved by the user to another port... especially if a minihub has been attached to the network and the link stays up. Then when the user gets to the place they have moved, they cannot get on the network because Simultaneous Use thinks they are an imposter. You have to check the behavior of your edge switches and do a lot of testing to make sure that this will work without problems. - List info/subscribe/unsubscribe? See https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7Cbjulin%40clarku.edu%7Cde5fbe120aad4dc42cb908d68d385551%7Cb5b2263d68aa453eb972aa1421410f80%7C1%7C1%7C636851670434206702&sdata=3LeffAboqhJgk5s%2Brs7hJav0ZZ47RNF6C3juRjRj%2BS8%3D&reserved=0
Hi, On Thu, Feb 07, 2019 at 08:10:30PM +0000, Carlos Bordon wrote:
I have ine server with freeradius, other with dhcp and they are connect to cisco 6800 swicht. We aunthenticate the endpoint with mab, because we cant use 802.1x.[...]
I'm just curious; for what reason can you not use 802.1x? -HC
participants (5)
-
Alan DeKok -
arjun sharma -
Brian Julin -
Carlos Bordon -
Hans-Christian Esperer