How mitigate mac spoofing in mab

Alan DeKok aland at
Thu Feb 7 21:12:46 CET 2019

On Feb 7, 2019, at 3:10 PM, Carlos Bordon <cgermanb at> wrote:
> Hi! i have a problem with this vulnerability, i need mitigate it.
> I have ine server with freeradius, other with dhcp and they are connect to cisco 6800 swicht. We aunthenticate the endpoint with mab, because we cant use 802.1x. the problem that i want to resolve is to mitigate mac spoofing on layer two.
> For us is the same mitigate the problem on the radius or the swicht config.
> Do you guys know any idea?

  Use 802.1X.

  The MAC address can always be spoofed on the client machine.

  If you can't use 802.1X, then you need to track known MAC addresses.  And if a MAC is online, disallow the same MAC from getting on the network again.

  There's really very little you can do with unsecured and unsafe network protocols.

  Alan DeKok.

More information about the Freeradius-Users mailing list