Thanks you so much Jack, for your analysis.
You're right. My question concerns the case in which it was implemented a
mechanism to return the registrations VLAN in the switch port and in my
configuration does not work. Said this, I will try 802.1X and will give a
feedback!
Thank you everybody, have a nice day.
Best Regards,
Rosario Ippolito
2015-03-03 16:35 GMT+01:00 Sallee, Jake <[email protected]>:
> Dang it, made a typo.
>
> > With MAB you do need to assign a fake mac to a port and it can not then
> be read by someone like you described.
>
> Should be
>
> With MAB you do NOT need to assign a fake mac to a port and it can not
> then be read by someone like you described.
>
> Carry on.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> ________________________________________
> From: Sallee, Jake [[email protected]]
> Sent: Tuesday, March 03, 2015 9:31 AM
> To: [email protected]
> Subject: Re: [PacketFence-users] Port-Security and Violations Bug
>
> > We all know that MAC address security is not foolproof...
>
> THIS! So much of this!
>
> It is very important that anyone using any kind of MAC based auth
> mechanism to understand that MAC auth is NOT secure. It is a useful tool,
> but it is not secure.
>
> MAC auth is useful and can, and should, be deployed in certain
> circumstances. However if your requirements contain security MAC auth is
> off the table. It is just too easy to spoof a MAC address.
>
> There are ways to mitigate MAC spoofing though, but they are not fool
> proof and can cause trouble if not deployed carefully.
>
> Also, to the original posters comments, why are you using SNMP based auth
> when the switch supports MAB and 802.1x?
>
> See here:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.cisco.com_c_en_us_td_docs_switches_lan_catalyst3560_software_release_12-2D2-5F55-5Fse_configuration_guide_3560-5Fscg_sw8021x.html&d=BQIFAw&c=Gpt0euE7zITENl5YkAGW3w&r=cNllUNvOSb_iAEjsFraP7MV__bF1L0JimhLwIyO3619rk_98amrNED1zl-1TxpQ6&m=zBhSU77wox70tmQmFCspVm8plSoU1JuuUAJIxJfzyoE&s=Nk9hcrKfW1jQbNQL0rZtjw-LUOC3Sfekrc-DJ0bFn0M&e=
>
> With MAB you do need to assign a fake mac to a port and it can not then be
> read by someone like you described.
>
> MAB is much better than SNMP auth, but it is still not acceptable for high
> security or sensitive environments.
>
> In short, the issue you are seeing is not a flaw in PF or any other
> product. It is a the result of using an authentication mechanism that was
> never designed with security in mind.
>
> Try using MAB and doing the same trick with your slackware box, it should
> not work.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
> ________________________________
> From: Rosario Ippolito [[email protected]]
> Sent: Tuesday, March 03, 2015 8:32 AM
> To: [email protected]
> Subject: Re: [PacketFence-users] Port-Security and Violations Bug
>
> Hello Arthur,
> thanks for your help.
> I have sent the proof that PF puts the bogus MAC address back onto the
> port once a client disconnects.. so, I wonder if I have configured in wrong
> way my port-security...
>
> I have configured port-security on the switches following the Network
> Devices Configurations, and this is my switch.conf file:
>
> [192.168.1.9]
> RoleMap=N
> mode=production
> cliUser=PF
> AccessListMap=N
> description=Catalyst_3560G
> type=Cisco::Catalyst_3560G
> cliPwd=xxxxxxx
> VoIPEnabled=N
> cliEnablePwd=xxxxxxxxx
> defaultVlan=1
> deauthMethod=SNMP
> StudentVlan=80
> radiusSecret=testing123
> StaffVlan=10
>
> [192.168.1.10]
> RoleMap=N
> mode=production
> StudentVlan=80
> AccessListMap=N
> description=Catalyst_3750
> type=Cisco::Catalyst_3750
> VoIPEnabled=N
> deauthMethod=SNMP
> defaultVlan=1
> radiusSecret=testing123
> StaffVlan=10
>
>
> Thanks a lot for your time..
>
> Regards,
> Rosario Ippolito
>
>
> 2015-03-03 15:07 GMT+01:00 Arthur Emerson <[email protected]<mailto:
> [email protected]>>:
> On my PF 3.6 setup with wired Cisco switch ports, I do not believe
> that PF puts the bogus MAC address back onto the port once a client
> disconnects. If the same client that was connected powers on again,
> the port is already set. If a new client is connected, the MAC
> address doesn't match and it sends a trap to PF. At least this is
> the way it appears to be working for me?
>
> We all know that MAC address security is not foolproof, so my $0.02
> (rounded down to zero in Canada?) is that you shouldn't be using MAB
> on your network if you are worried about someone booting up Slackware
> and probing a port to find a MAC address to spoof...
>
> -Arthur
>
> -------------------------------------------------------------------------
> Arthur Emerson III Email: [email protected]<mailto:
> [email protected]>
> Network Administrator InterNIC: AE81
> Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109
> <tel:%28845%29%20561-0800%20Ext.%203109>
> 330 Powell Ave. Fax: (845) 562-6762
> <tel:%28845%29%20562-6762>
> Newburgh, NY 12550 SneakerNet: Aquinas Hall Room 11
>
>
> From: Rosario Ippolito <[email protected]<mailto:
> [email protected]>>
> Reply-To: "[email protected]<mailto:
> [email protected]>" <
> [email protected]<mailto:
> [email protected]>>
> Date: Tuesday, March 3, 2015 at 3:56 AM
> To: "[email protected]<mailto:
> [email protected]>" <
> [email protected]<mailto:
> [email protected]>>
> Subject: [PacketFence-users] Port-Security and Violations Bug
>
> Hello all,
> I'm sorry to write again about this problem, but I thinks it is relevant.
>
> I have configured PacketFence (ver 4.6) with Port-Security in a cisco
> switch catalyst 3560g, and when I plug a device it works fine, that is,
> sending snmp traps and setting the correct vlan after authentication. When
> I disconnect the device, the switch port is setted with the bogus MAC
> address, but the vlan on the switch port is not modified. It would be more
> accurate if the switch port were set with the registrations vlan or MAC
> address detections vlan, is not it?
>
> Because with a Slackware OS, that is silent, if I connect the device to
> the port and sniff traffic, I see the cdp packets, and I discover the
> switch port where I am connected. So, I know that PacketFence uses the
> bogus mac, then I look the Guide, I read the bogus MAC and I set it in my
> Slackware device. The Mac address is secure by configuration ..so .. I'm in
> the vlan that was setted before, receiving a IP address by DHCP, or simply
> sniffing traffic in that vlan.
>
> When do this.. I note that in the "Location" section of the node in Nodes
> (from web interface) there is nothing! That is, PacketFence can't see that
> there is a node connected that doing traffic.. so, even if I try to
> configure a violation by MAC address in violations.conf, and the violation
> is detected, nothing is done!
>
> There is some output from log file:
>
> ###########################
>
> packetfence.log
>
> (The moment in which I have disconnected the device and is not setted the
> registrations or MAC address detections vlan)
>
> Feb 26 18:24:34 pfsetvlan(5) INFO: Will try to check on this node's
> previous switch if secured entry needs to be removed. Old Switch IP:
> 192.168.1.9 (main::do_port_security)
> Feb 26 18:24:34 pfsetvlan(5) INFO: de-authorizing xx:xx:xx:xx:xx:xx (new
> entry 02:00:00:01:01:08) at old location 192.168.1.9 ifIndex 10108
> (main::do_port_security)
> Feb 26 18:24:34 pfsetvlan(8) INFO: secureMacAddrViolation trap already in
> the queue for 192.168.1.9 ifIndex 10113. Won't add another one
> (main::signalHandlerTrapListQueued)
>
>
> ##############################
>
> violation.log
>
> 2015-03-02 18:57:32: MAC bogus OUI (1100022) detected on node
> 02:00:00:01:01:07 (0)
> 2015-03-02 18:57:32: MAC bogus gi0/7 (1100023) detected on node
> 02:00:00:01:01:07 (0)
>
> ##############################
>
> And this is my violations.conf
>
> [1100022]
> desc=MAC bogus OUI
> template=banned_devices
> trigger=VENDORMAC::131072
> actions=trap,log,role
> enabled=Y
> auto_enable=N
> target_category=Student
> max_enable=0
>
> [1100023]
> desc=MAC bogus gi0/7
> template=banned_devices
> trigger=MAC::2199023321351
> actions=trap,log,role
> enabled=Y
> auto_enable=N
> target_category=Student
>
> I also attach the picture of the configuration of the switch port after
> the device disconnect.. (gi0/11)
>
>
> Sorry again for my poor english..
>
> Can anyone help me about this issue?
> Thanks in advanced for any help..
>
> Kind Regards,
> Rosario Ippolito
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now.
> https://urldefense.proofpoint.com/v2/url?u=http-3A__goparallel.sourceforge.net_&d=BQIFAw&c=Gpt0euE7zITENl5YkAGW3w&r=cNllUNvOSb_iAEjsFraP7MV__bF1L0JimhLwIyO3619rk_98amrNED1zl-1TxpQ6&m=zBhSU77wox70tmQmFCspVm8plSoU1JuuUAJIxJfzyoE&s=06HO3hxOnj91s8utVRIEco3xEqixp_csRSdbjeuC7Ss&e=
> _______________________________________________
> PacketFence-users mailing list
> [email protected]<mailto:
> [email protected]>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=BQIFAw&c=Gpt0euE7zITENl5YkAGW3w&r=cNllUNvOSb_iAEjsFraP7MV__bF1L0JimhLwIyO3619rk_98amrNED1zl-1TxpQ6&m=zBhSU77wox70tmQmFCspVm8plSoU1JuuUAJIxJfzyoE&s=87dNtnuH92XEAPJDadYRgYBTXyzFgb7mF5dDACa1ofw&e=
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now.
> https://urldefense.proofpoint.com/v2/url?u=http-3A__goparallel.sourceforge.net_&d=BQIFAg&c=Gpt0euE7zITENl5YkAGW3w&r=cNllUNvOSb_iAEjsFraP7MV__bF1L0JimhLwIyO3619rk_98amrNED1zl-1TxpQ6&m=rrfusK1CYpexkDC0NfScET_CeTE0wmo9aWHRQg3IXWY&s=1-Gw2ujAsgApkNTFxLYz-1Lus5z15NTBA6xSSbLGXXw&e=
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=BQIFAg&c=Gpt0euE7zITENl5YkAGW3w&r=cNllUNvOSb_iAEjsFraP7MV__bF1L0JimhLwIyO3619rk_98amrNED1zl-1TxpQ6&m=rrfusK1CYpexkDC0NfScET_CeTE0wmo9aWHRQg3IXWY&s=aKMBu0XEO5CVRcNL7e4UiqJy3MsXfUP4WRxLTOWQDf0&e=
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
