Hi Doc, > One last question, can the mac authentication be circumvented by > spoofing the mac? Example, I have 20 network printers which obviously I > want to allow access on the network. Now if a user has their own > personal laptop (which is not an authorized device) finds a printer mac > and spoof the address, PF detect this and deny access?
Yes, because of the lack of authentication (only using a MAC address), spoofing the MAC will effectively make PacketFence authorize you. Now there are several things you can do to circumvent that problem. First, having a printer VLAN with very strict ACLs allowing only access to print servers and no Internet is a strong measure that would work right now. Having said that, in the longer term, we are working[1] on using the node category information and our own netflow/sFlow/IPFIX[2] analyzer to trap a device spoofing a MAC but not behaving as a device of such a category. For example: you spoof an IP Phone MAC, you are put in the Voice VLAN, there the netflow analyzer watches you and expect that you are going to communicate solely with the Phone Server and other phones in the a.b.c.d/e subnet on specific ports. If you do anything else, you'll be isolated and presented the captive portal with remediation information and the admins notified. Until printers support 802.1X or have browsers this is the next best thing we've come up with. > Does this have > to do with configuring the maclock, first age mac arrival, and max mac > entries on the port? > No, these parameters are there so that as soon as a MAC show up, a security violation is sent to PacketFence. Which is the way we use to get notified of a new user and react accordingly. I hope I was able to address your concerns. Have a good one! [1] http://mtn.inverse.ca/branch/changes/org.packetfence.feature.netflow [2] http://en.wikipedia.org/wiki/Netflow -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
