Introduction
Last week I went down an interesting rabbit hole of MAC address spoofing. I found that while the problem was well defined and easily researched, there were no simple prescriptive recipes for a solution. I thought it might be helpful to share this solution in the hopes it could be useful to others.
I would like to acknowledge the contributions of Marvin Rhoads for technical vetting and proofreading, and Brad Johnson (web page) for climbing down into the rabbit hole with me and lending his considerable expertise.
Summary
Media Access Control (MAC) Addresses commonly are used to identify endpoints for purposes of access control and authorization on access layer networks that have yet to implement 802.1x (dot1x) device authentication. The problem with this approach is MAC address spoofing is trivial to implement. However, with a defense in depth approach using basic tools and techniques, the risk and impact can be largely mitigated.
Diagnosis
Using a computer that does not send any attributes when connecting to the network, an attacker can gain authorization by spoofing the MAC address of a previously profiled device. This is specific to using MAC Address Bypass and Profiling of IOT devices such as IP phones and digital signage for purposes of network authorization.
Solution
Please see attached case study which includes supporting facts and analysis
