NAC and spoofed MAC addresses

Sam K · ‎11-04-2016

Hello,

I was wondering what people thoughts are; I have a question about NAC, so, if we have a dot1x enabled port on a switch with a client that is successfully authenticated and authorised to connect to the network, the clients MAC address is entered into the IPDT table and of course also in the MAC address table;

If the successfully authenticated and authorised machine became compromised and started to flood the network with packets that have spoofed MAC addresses;

1) would all the spoofed MAC addresses enter the MAC address table filling it up and compromising the performance of the switch?

2) would all the MAC address enter the IPDT table filling it up and compromising the performance of the switch?

3) would the dot1x port try and authenticate/authorise the spoofed MAC addresses against NAC?

Thanks for reading

Kind regards

nspasov · ‎11-22-2016

Hello Sam-

My answers below:

1) This can be avoided by properly securing the switch. For instance, with closed mode in 802.1x every single mac address must be authenticated before it is allowed on the network. In addition, you can configure the switch to perform multi-domain authentication where only 1 mac address from the data network and 1 mac address from the voice network are allowed on the switch port. Thus, any additional mac addresses will be dropped. If 802.1x is not an option then you can use port-security and configure the switch to only allow a certain number of mac addresses on the port. Once the limit is reached the port will go into error-disabled state

2) Same as above

3) Same as above. Again, it really depends on how the port is configured. If you use multi-auth then unlimited number of mac addresses are allowed on the port. However, each mac address will still need to authenticate before communication is allowed.

I hope this helps!

Thank you for rating helpful posts!