Web authentication and Mac spoofing

Gabriele01_2 · ‎10-01-2012

I have a 5508 WLC and some 3502i CAP.

I have configured a guest SSID with no encryption and Web Authentication.

If an attacker client use a spoofed mac address of a client correctly authenticated he can access without any authentication.

Is there anything i can do to prevent this?

Use MFP would be complicated since many client are not CCX v5 compliant.

George Stefanick · ‎10-01-2012

Welcome to the forums ..

What are you using for Web Auth, email, simple accept, logon ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Gabriele01_2 · ‎10-02-2012

Thanks for the welcome

For Web Auth i use local user in the WLC created by lobby ambassador.

Scott Fella · ‎10-02-2012

Well for one, this is guest access, so they should not be able to access your internal network anyway correct. There also can only be one MAC address at one time. There also is a session timeout value which forces a login again and an idle timeout value. Like in any WebAuth out there, the guy that wants to hop on to a guest network would have to wait until the original user leaves.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***