Is there a way to prevent MAC Address Spoofing on ZoneDirector 3000

  • 1
  • Question
  • Updated 7 months ago
We are using ZoneDirector 3000 in our environment and lately we noticed that one particular user which we blocked from the network (because user was hogging all the Internet bandwidth) keeps on re-joining the network but with different MAC Addresses.

The user joins the network by a generic username login that we gave our contractors to access the wifi system (AD authentication), so we really cannot Identify the person in our system because there are multiple users using the same generic account login.

We know that its the same user who is repeatedly logging on to the network because he left a unique host name on his device so we can identify it, although, we can see that the MAC Address is changing after several minutes the device was blocked.

Our Solution for now is to create individual accounts for the contractor so that we can easily identify the culprit rather than having them use a single generic account. However, it would be good to know if there is a way we mitigate such instances on the ZoneDirector? If not on the ZoneDirector level, are there any suggestions where to apply a block that can prevent this? Does anybody here experienced the same problem before?

And does anyone know how many MAC ACL entries can a ZoneDirector 3000 series cater?

Thanks guys
Photo of Tanski

Tanski

  • 9 Posts
  • 0 Reply Likes

Posted 7 months ago

  • 1
Photo of itdept_head me

itdept_head me

  • 15 Posts
  • 1 Reply Like
Yes , I deal with this on a daily basis in China. (don't even talk to me about WIFI.com)


It is almost impossible unless you employ AAA Radius, which has a record of  all valid macs


we get round the 'contractor' problem by splitting out a contractor WIFI to a separate VLAN & SSID
Each contractor gets a separate pw.

They don't play nice, we can rate limit all contractors in a couple of min, or ban a specific one.
Rate limiting a separate SSID prevents it impacting our own users.

 storing the ACL in the  ZD is not always an option due to the stupidity that is "randomised macs"
on mobile devices, massive headache for management if in the ZD

Also finger printing is not reliable, win 7,8,9,10 & mobile all come as 1 print.
some android devices from China identify as apple or Android
Photo of Tanski

Tanski

  • 9 Posts
  • 0 Reply Likes
Thanks for the inputs
Photo of Monnat Systems

Monnat Systems, AlphaDog

  • 759 Posts
  • 162 Reply Likes
ACL limit is actual on AP not on ZD.Limit is 128 per SSID.
Photo of Tanski

Tanski

  • 9 Posts
  • 0 Reply Likes
Thanks for the information
Photo of Monnat Systems

Monnat Systems, AlphaDog

  • 759 Posts
  • 162 Reply Likes
Your problem is not a unique however there are couple of ways of handling it to minimize the reoccurences and limit IT/admin overhead

1) Administrative solution: this involves coming up with procedures/guidelines/policy/do's & donts which clearly describes how an user employees and contractor employees is supposed to operate (behave). Cleary written and correctly enforced results in limited or minimum re-occurrence.

2) technical solution: some of the solution already shared in the post however you can make use Ruckus DPSK/Zero IT as it will clearly 1)overcome MAC ACL limitation 2) Mac spoofing would be a thing of a past, 3) security gets hardened and un-breachable 4) no need to maintain external DB or servers for additional auth. this is all inbuilt in ZD's 5) no more headache of maintaining/updating ACL's

hope this helps
Photo of Tanski

Tanski

  • 9 Posts
  • 0 Reply Likes
Thanks Monnat for the suggestions.

We have not Setup Ruckus DPSK/Zero IT yet, do you have any guide on how we could set this up? We only use Active Directory for Authentication, does it require any other special hardware like AAA server perhaps?
Photo of Monnat Systems

Monnat Systems, AlphaDog

  • 759 Posts
  • 162 Reply Likes
We only use Active Directory for Authentication, does it require any other special hardware like AAA server perhaps? -

no however for your needs, you can use local database on the controller assuming that its for contractors and no or limited access to corporate resources.

read here -- http://theruckusroom.typepad.com/files/dynamic-psk-fs.pdf

http://mytechblog.jarusnait.com/2014/05/wireless-dpsk-setup-with-ruckus-zone.html
Photo of itdept_head me

itdept_head me

  • 15 Posts
  • 1 Reply Like
sorry but that is a dumb solution full of crazy assumptions.
(Edited)