Hi,

We are trying to detect and control MAC address spoofing by using the IDS feature in WLSE.

WLSE user guide says following:

The WDS, however, is in a position to detect when a valid client has had its MACaddress spoofed. The WDS maintains a mapping of UserId to MAC address based

on WLCCP registrations. Whenever the WDS detects an authentication taking

place for a known MAC address, it verifies that the same UserId is being used. If the UserId does not properly match, the authentication is rejected.

We made a small test setup to verify wheather WLSE is able to detect MAC spoofing.

One of the client connects to the AP using CISCO 350 series WLAN adapter. He is able to logon to the network. In the association table of the AP it shows 350 series radio under Device type and also shows the EAP user id under the name category.

Second client, having inbuilt intel 2200BG WLAN NIC, runs a MAC address spoofing software and changes it's own MAC address to the 350 Series WLAN card.

Almost immidietly the first client looses it's connectivity and the second client is connected to the network.

AP association table now shows the details of the second client. It shows the 4800 radio under device type and AP hostname under the Name category.

Please suggest if it is possible to control this type of MAC Spoofing from WLSE??

The original set up is having 80 CISCO 1200 series APs (IOS ver 12.3(4)JA) with appx 500 WLAN clients(Various types of laptops). CISCO 1112 ACS, ver 3.3 acts as authentication server. Clients are authenticated using PEAP.

CISCO 1130 WLSE appliance ver 2.11 is for the WLAN management.

WLSE and APs are configured for radio and SNMP management. One of the AP is also configured as WDS.

Will Appreciate any help on this.