Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1373
Views
0
Helpful
5
Replies

L2 attacks and 802.1X

kamarale1
Level 1
Level 1

‎05-07-2019 11:54 AM

Hello,

I was watching several L2 attacks like:

MAC flooding attacks/CAM table overflow
ARP Spoofing/PoisoningOther Security Subjects,
DHCP Server Spoofing
MAC address spoofing

Some of them can be mitigated with por example Port security others by DHCP snooping, etc

The question is with 802.1x wich of those attacks are mitigated? and which of them you need other security feature to prevent it.

Thank you
Regards.

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎05-07-2019 12:07 PM - edited ‎05-07-2019 12:08 PM

There was a good presentation on L2 Attacks have a look :

 

https://www.cisco.com/c/dam/global/en_ae/assets/exposaudi2009/assets/docs/layer2-attacks-and-mitigation-t.pdf

 

802.1x supplicant help you, is this big network and do you ISE kind of tool to identify and put the port in disabled if any attacks will occur. ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

kamarale1
Level 1
Level 1
In response to balaji.bandi

‎05-09-2019 07:44 AM

Hello,

 

that does not answer my doubt.

I want to know if I enable 802.1x which of those attacks I am mitigating (besides all the benefits of 802.1x).

 

Regards

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to kamarale1

‎05-09-2019 11:32 AM

Sure it will be in short answer.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

kamarale
Level 1
Level 1
In response to balaji.bandi

‎05-10-2019 07:06 AM

Could you or anyone elaborate that answer?

 

For example I am not sure if enabling dot1x I am mitigatin ARP attacks, I think I should configure DAI besides dot1x.

 

Regards

 

 

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-10-2019 07:33 AM

To expand on @balaji.bandi answer of yes it will mitigate the attacks: There are a ton of factors that play into the 8021x solution as a whole. Deploying/using different components would result in utilizing 8021x with different approaches. A few components and design considerations would include:
What type of protocol will you use in regard to eap?
Do you wish to authenticate both the user and computer or just one of them?
Will you allow mab as a fall back solution if 8021x process terminates for whatever reason?
What types of devices are in your environment?
What supplicant will you use on your end nodes?
How often do you wish end nodes/users to reauthenticate?

Using eap-tls is some fashion in your 8021x solution is one of the more secure methods. However, this requires you to have the ability to manage your own internal pki or utilize someone else. If you implement mab you can utilize your AAA server to manage L2 endpoint groups. One thing you may consider is configuring anomalous endpoint detection and enforcement if you use ISE. This would aide in identifying mac spoofing attempts. Basically if ISE determines that attributes obtained via probes have changed and a device gets re-profiled (even though it sees same MAC) you can configure CoA to shut port down, reauthenticate host, etc.

I hope this additional information helps you!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents