[EXTERNAL] How mitigate mac spoofing in mab
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Tue Feb 26 04:12:36 CET 2019
> On Feb 9, 2019, at 1:58 AM, Carlos Bordon <cgermanb at live.com.ar> wrote:
>
>
> The second thing you can do is on the FreeRADIUS side, which is to use a Simultaneous Use
> database to prevent MAB requests from different ports at near the same time
> from being accepted. However, this can be problematic. If you are updating the
> Simultaneous Use database based on edge switch Accounting packets, then the
> edge switch may leave stale sessions open and continue to send updates after a host
> is unplugged and moved by the user to another port... especially if a minihub has
> been attached to the network and the link stays up. Then when the user gets to the
> place they have moved, they cannot get on the network because Simultaneous Use
> thinks they are an imposter.
>
> this is great!
> how can I do this?
So you read all the caveats and ways it can break and you're still enthusiastic? I feel for your users.
-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20190226/a66585dd/attachment.sig>
More information about the Freeradius-Users
mailing list