10-01-2012 08:16 AM - edited 07-03-2021 10:44 PM
I have a 5508 WLC and some 3502i CAP.
I have configured a guest SSID with no encryption and Web Authentication.
If an attacker client use a spoofed mac address of a client correctly authenticated he can access without any authentication.
Is there anything i can do to prevent this?
Use MFP would be complicated since many client are not CCX v5 compliant.
10-01-2012 08:51 AM
Welcome to the forums ..
What are you using for Web Auth, email, simple accept, logon ?
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
10-02-2012 05:11 AM
Thanks for the welcome
For Web Auth i use local user in the WLC created by lobby ambassador.
10-02-2012 06:24 AM
Well for one, this is guest access, so they should not be able to access your internal network anyway correct. There also can only be one MAC address at one time. There also is a session timeout value which forces a login again and an idle timeout value. Like in any WebAuth out there, the guy that wants to hop on to a guest network would have to wait until the original user leaves.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide