How can i set static arp on dhcp to prevent mac spoofing?
-
How can i set static ARP on DHCP to prevent mac spoofing? I keep seeing duplicated login to captive portal with the same Mac address and i know this should not be. So i really want to prevent this by doing the aforementioned.
-
How does static arp prevent spoofing? It prevents someone from using different IP with the same mac..
But for you to set that up, you have to know the mac before hand. Not sure how that would be the case with captive portal and guest type users.
So your concern is you have users that pay for time on your captive portal, and then what give out their mac address for someone else to use?
-
i have mac authentication setup in captive portal along with freeRadius mac auth so users pass through the captive portal because their mac address are configured in the freeRadius2 mac authentication tab. So wont be presented with a portal page to login they just get logged in automatically.
-
And what will happened if you trying out another way?
- FeeRadius >> internal or "private" WiFI
- Captive Portal >> external or guest WIFi
- OpenLDAP >> internal wired machines
So the Captive Portal must be used by the guest WiFi or Captive Portal users.
Would this be a way to go for you? -
i just wanted to prevent persons from cloning their mac address to someone that is added in freeradius2 in order to get internet access.
I have set simultaneous connection with this mac to 1 but that's not a effective way to stop them.
what that does is kick off the legitimate users and give the hacker internet access.
Someone told me about static arp so that's why i wanted to try it out but i am open to other advice.
-
So it is best to have a access point that has ap/client isolation as a feature?
I read that this could minimize the risk of hackers been able to scan the network for macs.
As this feature would separate or put clients in their own little network apart from one another.
-
So it is best to have a access point that has ap/client isolation as a feature?
In pfSense this could be activated too!!!!
I read that this could minimize the risk of hackers been able to scan the network for macs.
No one is able to get a view inside of all other devices in that vlan, such as the guest vlan or another one.
As this feature would separate or put clients in their own little network apart from one another.
If we both are guests art a hotspot system, and we both will be inserted intog the same guest WiFi VLAN, and this
Feature or Option is activated I can not have a look into oyur phone and vice versa! Thats all. -
in pfsense i cannot be activated as it doesn't support it. It only works if you have a wireless network card plugged in, then it can be enabled. Thus my only option is using AP that supports that feature.
-
Not sure where you got the idea that isolation prevents finding macs.. While it keeps users from talking to each other. It sure doesn't stop the sniff of macs which are in the clear, etc. You don't even have to be associated to find macs..
-
"Mac spoofing" is a feature of Ethernet. Any device can claim to have any mac address they want, assuming it follows the standard. Sine you can't trust the mac address, I would not recommend using a mac address to authenticate a user.
-
So my best option is to use user name authentication instead of Mac or buy expensive cisco switch and do port isolation putting user mac in their own little vlan.
