How mitigate mac spoofing in mab

arjun sharma arjuniet.28 at
Sat Feb 23 18:03:17 CET 2019

hi ,
This is a very basic thing that can be handled with some efforts :-

When you are not in position to use 802.1x ( which is also not a vulernable
proof to spoofing attacks ) . Use MAB  as a auth mechanism but dont make it
a requirement to authentication but not the only condition to authenticate
. After MAB success you have to use upper layer to mitigate the Mac
spoofing,  use MOD_AUTH_RADIUS . (
link to the mod )

Now you can use  apache ( webserver as radius client )  now bind certain
vulernable  easy to spoof parametres  to cookies and sent it as cookies to
the browser this way your mab can be authenticated in itself . i.e..
consider only the clients with this cookies as the authentic  holder of
that mac . This will helo you

By using simultaneous use and all  you will find yourself in trouble  while
implementing roaming (  i faced it )

On Fri, Feb 8, 2019 at 1:42 AM Alan DeKok <aland at> wrote:

> On Feb 7, 2019, at 3:10 PM, Carlos Bordon <cgermanb at> wrote:
> >
> > Hi! i have a problem with this vulnerability, i need mitigate it.
> >
> > I have ine server with freeradius, other with dhcp and they are connect
> to cisco 6800 swicht. We aunthenticate the endpoint with mab, because we
> cant use 802.1x. the problem that i want to resolve is to mitigate mac
> spoofing on layer two.
> > For us is the same mitigate the problem on the radius or the swicht
> config.
> >
> > Do you guys know any idea?
>   Use 802.1X.
>   The MAC address can always be spoofed on the client machine.
>   If you can't use 802.1X, then you need to track known MAC addresses.
> And if a MAC is online, disallow the same MAC from getting on the network
> again.
>   There's really very little you can do with unsecured and unsafe network
> protocols.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list