GOAL:
1. prevent user to spoof boss mac address
because sometime user bypass mac acl by cloning boss mac address
in Cisco I can do this
QUESTIONS:
1. how to achieve that in Cambium
- ciscomac.png (23.9 KB)
Hi
Greetings!!
From the screenshot you have shared I can see that you have WPA2+ MAC filtering on cisco.
In same way you can configure on Cambium with WLAN> Basic >> Security as WPA2 Preshared Key and Under Access >> MAC Authentication permit the MAC address you wanted to allow.
Best Regards,
Gupta Bobby
1 Like
I set boss MAC address to be permitted
hacker can simply cloned that MAC address using kali kismet
Can you discuss with your backline engineer
tq
I assume the "boss MAC" is present on the wired side of the network. You can add a MAC ACL entry under WLAN->Access Control->Access Control Lists and deny packets with the source match matching the boss MAC in the "in" direction and permit everything else.
1 Like
Boss MAC address through Wifi not Wired
I can't deny Boss MAC address.
Boss always permit.
Maybe I am not so clear
Spoofing means someone clone Boss Wifi MAC address.
So that they always have permit access
From my understanding in your Cisco network your boss need to use his MAC Address and Wi-Fi password (WPA2-PSK).
A would be hacker capturing the MAC address alone wouldn’t grant them access to the network as they would need the Wi-Fi password as well.
As Gupta Bobby said this can also be achieved with Cambium by enabling both MAC address filtering and WPA2 password authentication.
As you rightly pointed out a MAC address is easily cloned and therefore should not be considered a strong security feature.
If your security conscious I would recommended using a strong Wi-Fi password (20+ characters). This makes it very difficult to bruteforce WPA2 using an offline dictionary attack even after capturing the 4 way handshake.
I can attack strong password using fluxion
https://www.youtube.com/watch?v=k_X375omYtM
It will clone real ssid and force user to connect to fake ssid.
Force user to key in their wpa2 password then allow them to connect internet
Then how to counter this kind of attack
tq
@nbctcp wrote:
I can attack strong password using fluxion
https://www.youtube.com/watch?v=k_X375omYtM
It will clone real ssid and force user to connect to fake ssid.
Force user to key in their wpa2 password then allow them to connect internet
Then how to counter this kind of attack
tq
If your users are being social-engineered out of their password then moving to some non-password based option would be best (certificates with WPA2-Enterprise for instance).
1 Like
Firefly is right, WPA2 enterprise is the better solution, the problem with WPA2 PSK is that there is no mutual authentication. Which is why the attack you described will work.
With WPA2 enterprise EAP-TLS is considered very secure as it offers mutual authentication and cerficiates are required for both the client and server.