I just tested it. Cross switch with RADIUS MAC auth, when one comes up,
the FDB entry is deleted on the other. This only works if it is the same
vlan. The switches are seeing the FDB entry on another port, and deleting
theirs. If vlan mappings differ, they both stay authed. In PF, the most
recent connection is in the location log and the others are closed out.
It seems like all the information is there to fashion simultaneous use
checking and use normal de-auth methods. right?
On Thu, Jul 11, 2013 at 11:08 AM, Tim DeNike <tim.den...@mcc.edu> wrote:
> We are using Mac radius. Reason being Mac based vlans. We have
> several situations where a vmware vdi terminal is chained to an ip
> phone that is chained to a laptop or printer. All 3of which we want on
> different vlans. And with 10000 network ports, radius was the
> cleanest method. Can you think of a way that sim use checking could
> be implemented. If both nodes don't work, that is fine, we'd know
> someone is being bad at that point.
>
> Sent from my iPhone
>
> On Jul 11, 2013, at 11:03 AM, Francois Gaudreault
> <fgaudrea...@cloudops.com> wrote:
>
> > If two nodes have the same mac (Bob and Mallory) but you are using
> > port-sec, the switches will enter into a authorize/de-authorize fight
> > loop. Technically, both parties should stop working as both will be
> > auth/deauth/auth/deauth/etc.
> >
> > In 802.1X, if Mallory spoof the mac of Bob, Mallory still need valid
> > domain credentials to login.
> >
> > In MAB, I don't think there are protections against that. Both Mallory
> > and Bob would be authorized if they are not on the same switch. And
> > this is why MAB should be only used for guests or for devices not on
> > critical vlans (aka printer vlan).
> >
> > Maybe some have other thoughts. I guess the best way to validate all
> > that is for you to test the scenarios.
> >
> > On 2013-07-11 10:40 AM, Tim DeNike wrote:
> >> I was thinking about Mac spoofing.
> >>
> >> Sent from my iPhone
> >>
> >> On Jul 11, 2013, at 10:29 AM, Francois Gaudreault
> >> <fgaudrea...@cloudops.com> wrote:
> >>
> >>> Depends if you use port-sec or 802.1x/MAB.
> >>>
> >>> If you use port-sec, PF will put back the generic mac address on the
> >>> device's old port. If you use 802.1x/mab, well as soon as you unplug
> >>> the cable, session is gone anyway so..
> >>>
> >>>
> >>> On 2013-07-11 9:51 AM, Tim DeNike wrote:
> >>>> Havent tested it yet, but if the same mac shows up on another switch,
> >>>> will PF de-auth the other session? What happens?
> >>>>
> >>>>
> >>>>
> ------------------------------------------------------------------------------
> >>>> See everything from the browser to the database with AppDynamics
> >>>> Get end-to-end visibility with application monitoring from AppDynamics
> >>>> Isolate bottlenecks and diagnose root cause in seconds.
> >>>> Start your free trial of AppDynamics Pro today!
> >>>>
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> PacketFence-users mailing list
> >>>> PacketFence-users@lists.sourceforge.net
> >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >>>
> >>> --
> >>> Francois Gaudreault
> >>> Architecte de Solution Cloud | Cloud Solutions Architect
> >>> fgaudrea...@cloudops.com
> >>> 514-629-6775
> >>> - - -
> >>> CloudOps
> >>> 420 rue Guy
> >>> Montréal QC H3J 1S6
> >>> www.cloudops.com
> >>> @CloudOps_
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> See everything from the browser to the database with AppDynamics
> >>> Get end-to-end visibility with application monitoring from AppDynamics
> >>> Isolate bottlenecks and diagnose root cause in seconds.
> >>> Start your free trial of AppDynamics Pro today!
> >>>
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> >>> _______________________________________________
> >>> PacketFence-users mailing list
> >>> PacketFence-users@lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >>
> ------------------------------------------------------------------------------
> >> See everything from the browser to the database with AppDynamics
> >> Get end-to-end visibility with application monitoring from AppDynamics
> >> Isolate bottlenecks and diagnose root cause in seconds.
> >> Start your free trial of AppDynamics Pro today!
> >>
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> >> _______________________________________________
> >> PacketFence-users mailing list
> >> PacketFence-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >>
> >>
> >
> >
> > --
> > Francois Gaudreault
> > Architecte de Solution Cloud | Cloud Solutions Architect
> > fgaudrea...@cloudops.com
> > 514-629-6775
> > - - -
> > CloudOps
> > 420 rue Guy
> > Montréal QC H3J 1S6
> > www.cloudops.com
> > @CloudOps_
> >
> >
> >
> ------------------------------------------------------------------------------
> > See everything from the browser to the database with AppDynamics
> > Get end-to-end visibility with application monitoring from AppDynamics
> > Isolate bottlenecks and diagnose root cause in seconds.
> > Start your free trial of AppDynamics Pro today!
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> > _______________________________________________
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
