How can i set static arp on dhcp to prevent mac spoofing?

tripplex · Dec 22, 2016, 12:15 PM

How can i set static ARP on DHCP to prevent mac spoofing? I keep seeing duplicated login to captive portal with the same Mac address and i know this should not be. So i really want to prevent this by doing the aforementioned.

johnpoz · Dec 22, 2016, 12:22 PM

How does static arp prevent spoofing? It prevents someone from using different IP with the same mac..

But for you to set that up, you have to know the mac before hand. Not sure how that would be the case with captive portal and guest type users.

So your concern is you have users that pay for time on your captive portal, and then what give out their mac address for someone else to use?

tripplex · Dec 22, 2016, 2:14 PM

i have mac authentication setup in captive portal along with freeRadius mac auth so users pass through the captive portal because their mac address are configured in the freeRadius2 mac authentication tab. So wont be presented with a portal page to login they just get logged in automatically.

Guest · Dec 23, 2016, 5:02 PM

And what will happened if you trying out another way?

FeeRadius >> internal or "private" WiFI
Captive Portal >> external or guest WIFi
OpenLDAP >> internal wired machines

So the Captive Portal must be used by the guest WiFi or Captive Portal users.
Would this be a way to go for you?

tripplex · Dec 24, 2016, 12:01 AM

i just wanted to prevent persons from cloning their mac address to someone that is added in freeradius2 in order to get internet access.

I have set simultaneous connection with this mac to 1 but that's not a effective way to stop them.

what that does is kick off the legitimate users and give the hacker internet access.

Someone told me about static arp so that's why i wanted to try it out but i am open to other advice.

tripplex · Dec 26, 2016, 8:43 PM

So it is best to have a access point that has ap/client isolation as a feature?

I read that this could minimize the risk of hackers been able to scan the network for macs.

As this feature would separate or put clients in their own little network apart from one another.

Guest · Dec 26, 2016, 10:48 PM

So it is best to have a access point that has ap/client isolation as a feature?

In pfSense this could be activated too!!!!

I read that this could minimize the risk of hackers been able to scan the network for macs.

No one is able to get a view inside of all other devices in that vlan, such as the guest vlan or another one.

As this feature would separate or put clients in their own little network apart from one another.

If we both are guests art a hotspot system, and we both will be inserted intog the same guest WiFi VLAN, and this
Feature or Option is activated I can not have a look into oyur phone and vice versa! Thats all.

tripplex · Dec 27, 2016, 1:07 AM

in pfsense i cannot be activated as it doesn't support it. It only works if you have a wireless network card plugged in, then it can be enabled. Thus my only option is using AP that supports that feature.

johnpoz · Dec 27, 2016, 12:16 PM

Not sure where you got the idea that isolation prevents finding macs.. While it keeps users from talking to each other. It sure doesn't stop the sniff of macs which are in the clear, etc. You don't even have to be associated to find macs..

Harvy66 · Dec 27, 2016, 3:02 PM

"Mac spoofing" is a feature of Ethernet. Any device can claim to have any mac address they want, assuming it follows the standard. Sine you can't trust the mac address, I would not recommend using a mac address to authenticate a user.

tripplex · Dec 28, 2016, 7:30 AM

So my best option is to use user name authentication instead of Mac or buy expensive cisco switch and do port isolation putting user mac in their own little vlan.