> We all know that MAC address security is not foolproof... THIS! So much of this!
It is very important that anyone using any kind of MAC based auth mechanism to understand that MAC auth is NOT secure. It is a useful tool, but it is not secure. MAC auth is useful and can, and should, be deployed in certain circumstances. However if your requirements contain security MAC auth is off the table. It is just too easy to spoof a MAC address. There are ways to mitigate MAC spoofing though, but they are not fool proof and can cause trouble if not deployed carefully. Also, to the original posters comments, why are you using SNMP based auth when the switch supports MAB and 802.1x? See here: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.cisco.com_c_en_us_td_docs_switches_lan_catalyst3560_software_release_12-2D2-5F55-5Fse_configuration_guide_3560-5Fscg_sw8021x.html&d=BQIFAw&c=Gpt0euE7zITENl5YkAGW3w&r=cNllUNvOSb_iAEjsFraP7MV__bF1L0JimhLwIyO3619rk_98amrNED1zl-1TxpQ6&m=zBhSU77wox70tmQmFCspVm8plSoU1JuuUAJIxJfzyoE&s=Nk9hcrKfW1jQbNQL0rZtjw-LUOC3Sfekrc-DJ0bFn0M&e= With MAB you do need to assign a fake mac to a port and it can not then be read by someone like you described. MAB is much better than SNMP auth, but it is still not acceptable for high security or sensitive environments. In short, the issue you are seeing is not a flaw in PF or any other product. It is a the result of using an authentication mechanism that was never designed with security in mind. Try using MAB and doing the same trick with your slackware box, it should not work. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Rosario Ippolito [[email protected]] Sent: Tuesday, March 03, 2015 8:32 AM To: [email protected] Subject: Re: [PacketFence-users] Port-Security and Violations Bug Hello Arthur, thanks for your help. I have sent the proof that PF puts the bogus MAC address back onto the port once a client disconnects.. so, I wonder if I have configured in wrong way my port-security... I have configured port-security on the switches following the Network Devices Configurations, and this is my switch.conf file: [192.168.1.9] RoleMap=N mode=production cliUser=PF AccessListMap=N description=Catalyst_3560G type=Cisco::Catalyst_3560G cliPwd=xxxxxxx VoIPEnabled=N cliEnablePwd=xxxxxxxxx defaultVlan=1 deauthMethod=SNMP StudentVlan=80 radiusSecret=testing123 StaffVlan=10 [192.168.1.10] RoleMap=N mode=production StudentVlan=80 AccessListMap=N description=Catalyst_3750 type=Cisco::Catalyst_3750 VoIPEnabled=N deauthMethod=SNMP defaultVlan=1 radiusSecret=testing123 StaffVlan=10 Thanks a lot for your time.. Regards, Rosario Ippolito 2015-03-03 15:07 GMT+01:00 Arthur Emerson <[email protected]<mailto:[email protected]>>: On my PF 3.6 setup with wired Cisco switch ports, I do not believe that PF puts the bogus MAC address back onto the port once a client disconnects. If the same client that was connected powers on again, the port is already set. If a new client is connected, the MAC address doesn't match and it sends a trap to PF. At least this is the way it appears to be working for me? We all know that MAC address security is not foolproof, so my $0.02 (rounded down to zero in Canada?) is that you shouldn't be using MAB on your network if you are worried about someone booting up Slackware and probing a port to find a MAC address to spoof... -Arthur ------------------------------------------------------------------------- Arthur Emerson III Email: [email protected]<mailto:[email protected]> Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109<tel:%28845%29%20561-0800%20Ext.%203109> 330 Powell Ave. Fax: (845) 562-6762<tel:%28845%29%20562-6762> Newburgh, NY 12550 SneakerNet: Aquinas Hall Room 11 From: Rosario Ippolito <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Tuesday, March 3, 2015 at 3:56 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [PacketFence-users] Port-Security and Violations Bug Hello all, I'm sorry to write again about this problem, but I thinks it is relevant. I have configured PacketFence (ver 4.6) with Port-Security in a cisco switch catalyst 3560g, and when I plug a device it works fine, that is, sending snmp traps and setting the correct vlan after authentication. When I disconnect the device, the switch port is setted with the bogus MAC address, but the vlan on the switch port is not modified. It would be more accurate if the switch port were set with the registrations vlan or MAC address detections vlan, is not it? Because with a Slackware OS, that is silent, if I connect the device to the port and sniff traffic, I see the cdp packets, and I discover the switch port where I am connected. So, I know that PacketFence uses the bogus mac, then I look the Guide, I read the bogus MAC and I set it in my Slackware device. The Mac address is secure by configuration ..so .. I'm in the vlan that was setted before, receiving a IP address by DHCP, or simply sniffing traffic in that vlan. When do this.. I note that in the "Location" section of the node in Nodes (from web interface) there is nothing! That is, PacketFence can't see that there is a node connected that doing traffic.. so, even if I try to configure a violation by MAC address in violations.conf, and the violation is detected, nothing is done! There is some output from log file: ########################### packetfence.log (The moment in which I have disconnected the device and is not setted the registrations or MAC address detections vlan) Feb 26 18:24:34 pfsetvlan(5) INFO: Will try to check on this node's previous switch if secured entry needs to be removed. Old Switch IP: 192.168.1.9 (main::do_port_security) Feb 26 18:24:34 pfsetvlan(5) INFO: de-authorizing xx:xx:xx:xx:xx:xx (new entry 02:00:00:01:01:08) at old location 192.168.1.9 ifIndex 10108 (main::do_port_security) Feb 26 18:24:34 pfsetvlan(8) INFO: secureMacAddrViolation trap already in the queue for 192.168.1.9 ifIndex 10113. Won't add another one (main::signalHandlerTrapListQueued) ############################## violation.log 2015-03-02 18:57:32: MAC bogus OUI (1100022) detected on node 02:00:00:01:01:07 (0) 2015-03-02 18:57:32: MAC bogus gi0/7 (1100023) detected on node 02:00:00:01:01:07 (0) ############################## And this is my violations.conf [1100022] desc=MAC bogus OUI template=banned_devices trigger=VENDORMAC::131072 actions=trap,log,role enabled=Y auto_enable=N target_category=Student max_enable=0 [1100023] desc=MAC bogus gi0/7 template=banned_devices trigger=MAC::2199023321351 actions=trap,log,role enabled=Y auto_enable=N target_category=Student I also attach the picture of the configuration of the switch port after the device disconnect.. (gi0/11) Sorry again for my poor english.. Can anyone help me about this issue? Thanks in advanced for any help.. Kind Regards, Rosario Ippolito ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. https://urldefense.proofpoint.com/v2/url?u=http-3A__goparallel.sourceforge.net_&d=BQIFAw&c=Gpt0euE7zITENl5YkAGW3w&r=cNllUNvOSb_iAEjsFraP7MV__bF1L0JimhLwIyO3619rk_98amrNED1zl-1TxpQ6&m=zBhSU77wox70tmQmFCspVm8plSoU1JuuUAJIxJfzyoE&s=06HO3hxOnj91s8utVRIEco3xEqixp_csRSdbjeuC7Ss&e= _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=BQIFAw&c=Gpt0euE7zITENl5YkAGW3w&r=cNllUNvOSb_iAEjsFraP7MV__bF1L0JimhLwIyO3619rk_98amrNED1zl-1TxpQ6&m=zBhSU77wox70tmQmFCspVm8plSoU1JuuUAJIxJfzyoE&s=87dNtnuH92XEAPJDadYRgYBTXyzFgb7mF5dDACa1ofw&e= ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
