We are trying to detect and control MAC address spoofing by using the IDS feature in WLSE.
WLSE user guide says following:
The WDS, however, is in a position to detect when a valid client has had its MACaddress spoofed. The WDS maintains a mapping of UserId to MAC address based
on WLCCP registrations. Whenever the WDS detects an authentication taking
place for a known MAC address, it verifies that the same UserId is being used. If the UserId does not properly match, the authentication is rejected.
We made a small test setup to verify wheather WLSE is able to detect MAC spoofing.
One of the client connects to the AP using CISCO 350 series WLAN adapter. He is able to logon to the network. In the association table of the AP it shows 350 series radio under Device type and also shows the EAP user id under the name category.
Second client, having inbuilt intel 2200BG WLAN NIC, runs a MAC address spoofing software and changes it's own MAC address to the 350 Series WLAN card.
Almost immidietly the first client looses it's connectivity and the second client is connected to the network.
AP association table now shows the details of the second client. It shows the 4800 radio under device type and AP hostname under the Name category.
Please suggest if it is possible to control this type of MAC Spoofing from WLSE??
The original set up is having 80 CISCO 1200 series APs (IOS ver 12.3(4)JA) with appx 500 WLAN clients(Various types of laptops). CISCO 1112 ACS, ver 3.3 acts as authentication server. Clients are authenticated using PEAP.
CISCO 1130 WLSE appliance ver 2.11 is for the WLAN management.
WLSE and APs are configured for radio and SNMP management. One of the AP is also configured as WDS.
Does the WLSE inidcate a MAC Spoofing event? I have seen these and they appear to be triggered when the MAC association occurs on another AP in the WDS and the original registration has not cleared. Don't know what the SpoofUserId is yet.
IP Name Family Product Type SpoofClient SpoofIndex SpoofStaMacAddress SpoofUserId
10.16.27.10 mblk7s1ap1 Aironet AP 1210 MAC_spoof 21 00027846b92d 21
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...