ClearPass has never fingerprinted the device previously, so when it presents itself to ClearPass with the MAC of the phone it MAC Auths like the phone does.Īm i missing something, or is this a gaping hole in a NAC in general? Taking suggestions for other ways to prevent this. With all of that being said, if a hacker comes on to your network and has never been seen before, and spoofs the address of a peripheral device (phone, printer, etc) from the getgo, it seems there is no way to stop them, based on how conflict triggers work. Example: Profiled as a computer from DHCP fingerprinting, but profiled as a SmartDevice from HTTP fingerprinting. The fingerprinting from different sources resulting in two different device categories. Example: device is originally profiled as a computer when it first shows up on the network, but after spoofing the MAC of a printer, the endpoint DB will be update as printer and the Conflict True flag is raised.Ģ. Conflicts trigger if the fingerprint from the same source changes over time, resulting in two different device profiles. After working with TAC I received the following info on Conflicts:ġ. I have conflict triggers on and enabled at the top of the MAB Service to deny spoof attempts, however this one did not catch. Have a pen tester in and he was able to get on the network in 20 seconds by spoofing the mac address of a Cisco IP phone, which authenticates via MAB.
