Solved: Re: ISE CWA MAC spoof

ozgguler · ‎07-26-2018

Hi All

Is there any way to prevent Mac spoofing with ISE CWA guest access by cookies etc? Concern: If someone learns an authenticated guest's MAC address, he can spoof this MAC and connect to the SSID without authentication before session timeout.

Do we have a solution for this with ISE CWA?

gbekmezi-DD · ‎07-26-2018

This is a known limitation with anything MAC address based. If you are very concerned, you can require authentication every time a session is started instead of letting an endpoint on the network because it is in a particular endpoint identity group.

View solution in original post

Jason Kunst · ‎07-26-2018

Right, this is open guest network ☺ not really secure as it is.

If that’s a concern then don’t remember the MAC address and require login everytime. Or implement wpa-psk at a minimum

View solution in original post

gbekmezi-DD · ‎07-26-2018

This is a known limitation with anything MAC address based. If you are very concerned, you can require authentication every time a session is started instead of letting an endpoint on the network because it is in a particular endpoint identity group.

Jason Kunst · ‎07-26-2018

Right, this is open guest network ☺ not really secure as it is.

If that’s a concern then don’t remember the MAC address and require login everytime. Or implement wpa-psk at a minimum