How mitigate mac spoofing in mab
arjuniet.28 at gmail.com
Sat Feb 23 18:03:17 CET 2019
This is a very basic thing that can be handled with some efforts :-
When you are not in position to use 802.1x ( which is also not a vulernable
proof to spoofing attacks ) . Use MAB as a auth mechanism but dont make it
a requirement to authentication but not the only condition to authenticate
. After MAB success you have to use upper layer to mitigate the Mac
spoofing, use MOD_AUTH_RADIUS https://freeradius.org/sub_projects/ . (
link to the mod )
Now you can use apache ( webserver as radius client ) now bind certain
vulernable easy to spoof parametres to cookies and sent it as cookies to
the browser this way your mab can be authenticated in itself . i.e..
consider only the clients with this cookies as the authentic holder of
that mac . This will helo you
By using simultaneous use and all you will find yourself in trouble while
implementing roaming ( i faced it )
On Fri, Feb 8, 2019 at 1:42 AM Alan DeKok <aland at deployingradius.com> wrote:
> On Feb 7, 2019, at 3:10 PM, Carlos Bordon <cgermanb at live.com.ar> wrote:
> > Hi! i have a problem with this vulnerability, i need mitigate it.
> > I have ine server with freeradius, other with dhcp and they are connect
> to cisco 6800 swicht. We aunthenticate the endpoint with mab, because we
> cant use 802.1x. the problem that i want to resolve is to mitigate mac
> spoofing on layer two.
> > For us is the same mitigate the problem on the radius or the swicht
> > Do you guys know any idea?
> Use 802.1X.
> The MAC address can always be spoofed on the client machine.
> If you can't use 802.1X, then you need to track known MAC addresses.
> And if a MAC is online, disallow the same MAC from getting on the network
> There's really very little you can do with unsecured and unsafe network
> Alan DeKok.
> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users