How mitigate mac spoofing in mab

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

How mitigate mac spoofing in mab

Carlos Bordon

Hi! i have a problem with this vulnerability, i need mitigate it.

I have ine server with freeradius, other with dhcp and they are connect to cisco 6800 swicht. We aunthenticate the endpoint with mab, because we cant use 802.1x. the problem that i want to resolve is to mitigate mac spoofing on layer two.
For us is the same mitigate the problem on the radius or the swicht config.

Do you guys know any idea?

Best regards,
Say hi for your sisters!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How mitigate mac spoofing in mab

Alan DeKok-2
On Feb 7, 2019, at 3:10 PM, Carlos Bordon <[hidden email]> wrote:
>
> Hi! i have a problem with this vulnerability, i need mitigate it.
>
> I have ine server with freeradius, other with dhcp and they are connect to cisco 6800 swicht. We aunthenticate the endpoint with mab, because we cant use 802.1x. the problem that i want to resolve is to mitigate mac spoofing on layer two.
> For us is the same mitigate the problem on the radius or the swicht config.
>
> Do you guys know any idea?

  Use 802.1X.

  The MAC address can always be spoofed on the client machine.

  If you can't use 802.1X, then you need to track known MAC addresses.  And if a MAC is online, disallow the same MAC from getting on the network again.

  There's really very little you can do with unsecured and unsafe network protocols.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: [EXTERNAL] How mitigate mac spoofing in mab

Brian Julin
In reply to this post by Carlos Bordon

Carlos Bordon <[hidden email]> wrote:

> I have ine server with freeradius, other with dhcp and they are connect to cisco 6800 swicht. We aunthenticate the endpoint with mab, because we cant use 802.1x. the problem that i want to resolve is to mitigate mac spoofing on layer two.
> For us is the same mitigate the problem on the radius or the swicht config.

With MAB there is absolutely no way to tell if the host using a MAC address
is the actual host that has that burned-in-address (BIA).

There are a few things you can do.

First, use IP DHCP snooping and ARP inspection features on the edge switch.
This will at least keep one host from spoofing many IP or MAC addresses without
doing a DHCP transaction for each address, which slows an attacker down.
You can also use edge switch port security features to limit the number of
MAC addresses allowed on a single port to something reasonable.
(While you are at it, see if you also have features to prevent DHCP starvation.)

The second thing you can do is on the FreeRADIUS side, which is to use a Simultaneous Use
database to prevent MAB requests from different ports at near the same time
from being accepted.  However, this can be problematic.  If you are updating the
Simultaneous Use database based on edge switch Accounting packets, then the
edge switch may leave stale sessions open and continue to send updates after a host
is unplugged and moved by the user to another port... especially if a minihub has
been attached to the network and the link stays up.  Then when the user gets to the
place they have moved, they cannot get on the network because Simultaneous Use
thinks they are an imposter.

You have to check the behavior of your edge switches and do a lot of testing to
make sure that this will work without problems.


-
List info/subscribe/unsubscribe? See https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&amp;data=02%7C01%7Cbjulin%40clarku.edu%7Cde5fbe120aad4dc42cb908d68d385551%7Cb5b2263d68aa453eb972aa1421410f80%7C1%7C1%7C636851670434206702&amp;sdata=3LeffAboqhJgk5s%2Brs7hJav0ZZ47RNF6C3juRjRj%2BS8%3D&amp;reserved=0

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How mitigate mac spoofing in mab

Hans-Christian Esperer
In reply to this post by Carlos Bordon
Hi,

On Thu, Feb 07, 2019 at 08:10:30PM +0000, Carlos Bordon wrote:
> I have ine server with freeradius, other with dhcp and they are connect to cisco 6800 swicht. We aunthenticate the endpoint with mab, because we cant use 802.1x.[...]

I'm just curious; for what reason can you not use 802.1x?

-HC
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: [EXTERNAL] How mitigate mac spoofing in mab

Carlos Bordon
In reply to this post by Brian Julin

The second thing you can do is on the FreeRADIUS side, which is to use a Simultaneous Use
database to prevent MAB requests from different ports at near the same time
from being accepted.  However, this can be problematic.  If you are updating the
Simultaneous Use database based on edge switch Accounting packets, then the
edge switch may leave stale sessions open and continue to send updates after a host
is unplugged and moved by the user to another port... especially if a minihub has
been attached to the network and the link stays up.  Then when the user gets to the
place they have moved, they cannot get on the network because Simultaneous Use
thinks they are an imposter.

this is great!
how can I do this?

Thanks!

________________________________
De: Freeradius-Users <freeradius-users-bounces+cgermanb=[hidden email]> en nombre de Brian Julin <[hidden email]>
Enviado: jueves, 7 de febrero de 2019 17:20
Para: [hidden email]
Asunto: Re: [EXTERNAL] How mitigate mac spoofing in mab


Carlos Bordon <[hidden email]> wrote:

> I have ine server with freeradius, other with dhcp and they are connect to cisco 6800 swicht. We aunthenticate the endpoint with mab, because we cant use 802.1x. the problem that i want to resolve is to mitigate mac spoofing on layer two.
> For us is the same mitigate the problem on the radius or the swicht config.

With MAB there is absolutely no way to tell if the host using a MAC address
is the actual host that has that burned-in-address (BIA).

There are a few things you can do.

First, use IP DHCP snooping and ARP inspection features on the edge switch.
This will at least keep one host from spoofing many IP or MAC addresses without
doing a DHCP transaction for each address, which slows an attacker down.
You can also use edge switch port security features to limit the number of
MAC addresses allowed on a single port to something reasonable.
(While you are at it, see if you also have features to prevent DHCP starvation.)

The second thing you can do is on the FreeRADIUS side, which is to use a Simultaneous Use
database to prevent MAB requests from different ports at near the same time
from being accepted.  However, this can be problematic.  If you are updating the
Simultaneous Use database based on edge switch Accounting packets, then the
edge switch may leave stale sessions open and continue to send updates after a host
is unplugged and moved by the user to another port... especially if a minihub has
been attached to the network and the link stays up.  Then when the user gets to the
place they have moved, they cannot get on the network because Simultaneous Use
thinks they are an imposter.

You have to check the behavior of your edge switches and do a lot of testing to
make sure that this will work without problems.


-
List info/subscribe/unsubscribe? See https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&amp;data=02%7C01%7Cbjulin%40clarku.edu%7Cde5fbe120aad4dc42cb908d68d385551%7Cb5b2263d68aa453eb972aa1421410f80%7C1%7C1%7C636851670434206702&amp;sdata=3LeffAboqhJgk5s%2Brs7hJav0ZZ47RNF6C3juRjRj%2BS8%3D&amp;reserved=0

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html