> On Jul 6, 2017, at 05:18, 沧海云帆 via PacketFence-users
> <[email protected]> wrote:
>
> Hello,
> I'm testing packfence with version 7.1.0,and I have a issue is that how to
> prevent a stolen MAC from accessing the network.
> for example:
> environment: user auth with microsoft active directory
> switches:cisco2960g and sg300
>
> domain computer name: [email protected]
> registered mac: 40:16:7e:76:c9:10
> I take another laptop and change the mac address as 40:16:7e:76:c9:10,this
> laptop can be access network.
>
> I want to know how can you avoid this phenomenon? is it packetfence can
> authentication with domain computer and only domain computers can be
> validated?
> thank you!
Any form of network access control that relies on the MAC as an identifier is
vulnerable to spoofing.
The only way to prevent it is to enforce a method that requires authentication
based on something known (e.g. a password) or something owned (e.g. a
certificate).
Practically speaking this means 802.1x with a password (which can be changed if
the device is stolen) or with a certificate (i.e. EAP-TLS) which you can revoke.
Regards,
--
Louis Munro
[email protected] <mailto:[email protected]> :: www.inverse.ca
<http://www.inverse.ca/>
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and
PacketFence (www.packetfence.org <http://www.packetfence.org/>)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
