Hi @Hugh22,

 

That's a good question.  Though I expect this type of exploit is generally pretty rare.  Most people don't care enough to go through all of this effort.

 

Based on my knowledge of network administration and management for more than 20+ years, my expectation is that there is not an easy way to block this.  The TP-Link EAP/Omada solution certainly doesn't offer any capability to prevent this.

 

There are a variety of things you can try -- but none of these are an ideal solution:

 

1) Aggressively throttle per device BW.  If you limit each client to 5 Mbit/sec or 10 Mbit/sec -- who cares how many such devices a user "clones" -- supported by Omada

 

2) Aggreesively limit Voucher duration, data DL capacity, etc.per user session / require more user identifying information (e.g. credit card, purchase, etc. to get a voucher

 

3) Use a 3rd party packet inspection and filtering solution to block access to the services (e.g. gaming, peer to peer file sharing, etc. that attract users who abuse the system in this way).

 

4) Identify / build a custom voucher solution (not sure if one is commercially available) which uses deep packet inspection (MAC, IP, TLS, AP, RSSI, etc. -- I haven't inspected packets in many years, I'm not sure what is all in there these days) which aggresively invalidates vouchers if packet anomalies are identified -- e.g. a MAC address which is being used by more than one IP address, for example.  Though this might impact tethering, too, which might be a legitimate use.

 

5) I would suspect that Enterprise class Wifi solutions for commercial business (for Cisco for example) might already have a method on blocking this -- step one would be to "external benchmark" and see how they do it -- if they can.

 

6) Monitor for abuse and ban -- certainly not ideal

 

But I'm just grasping at straws here.  I did a quick google search -- and found several ways to spoof my MAC address (-: -- but no immediate solutions to prevent this from occuring.

 

-Jonathan

Hi @Hugh22,

 

Are you concerned about MAC address spoofing of STA's (e.g. end user mobile clients)?  Or MAC address spoofing of AP's (e.g Honeypots?) -- for the purposes of scanning other users packets (in an attempt to steal their private information)

 

-Jonathan

Hi @Hugh22,

 

It looks like Cisco has a solution for this:

"Detect Anomalous Behavior of Endpoints" using Cisco ISE

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/Workflow/b_asset_visibility_2_4.html#concept_EAB7AB3B9BAE4A9E93A53A8282E20D88

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html#:~:text=The%20Anomalous%20Endpoint%20Detection%20feature,mark%20the%20endpoint%20as%20Anomalous.

 

https://www.cisco.com/c/m/en_us/products/security/advanced-malware-protection/competitive-comparison.html?CCID=cc000157&OID=otrsc000909&DTID=pseggl000015&POSITION=SEM&COUNTRY_SITE=us&CAMPAIGN=SC-08&CREATIVE=US_SEM_SEC_AMP_BMM_B_COA-GGL_0_Mid&LargeConverters_Targeting_ENG-Cisco-Endpoint&REFERRING_SITE=Google&KEYWORD=%2Bcisco%20%2Bendpoint&KWID=p38024539342&ds_rl=1253543&gclid=Cj0KCQjw_ez2BRCyARIsAJfg-kvqEyVWnfMZUuHE0j4cK-jdVzZ7GaCGs9CKCTKWROoEvAhaWKDlZXwaAg9tEALw_wcB&gclsrc=aw.ds

 

But, it's really a non-trivial problem.  You essentially need a high level network intelligence tool, which access to your entire network (from STA's to AP's to switches to L3 and above) with packet inspection to essentially "fingerprint" each end point (STA).  Look for anomalies same MAC with different IP's, same MAC on two different AP's or switch ports simultaneously, different end point "signature" identifiers, etc.  The software then is configured with one or more user access policies to address what to do with these anomalous STA's -- force re-authentication / voucher renewal, isolate them into a dead end VLAN, etc.

 

I don't know if TP-Link's new SDN software will support any of this capability.  But my guess would be no at the current price point. While I'm personally not a fan of Cisco gear, they've been the industry leader in networking and network security for 20+ years now.  No other vendor has sotware management and capabilitie as sophisticated, as over complicated, and as over priced as Cisco (-:

 

-Jonathan

 

Selling internet connection via wifi is the best way of business in my country. But how can you tell this is the best business if the others is connecting without paying? Too bad that my client sharing its internet connection for free to it’s family or friends by his authorization. The way that no one will avail my voucher😭😭😭. Sorry for my poor english☺️

Not much have knowledge on networking but do you think there is an option to isolate my ap ip address to prevent mac spoofing on my network? But even though there is, i think my client still willingly share his mac address or share his internet☺️ But anyway thanks jonathan i hope my client will not discover this internet sharing process. I’ve just discovered this process while experimenting in my small business network.

Hi @Hugh22,

 

Unfortunately, parts of the 802.11 standard just aren't secure / encrypted.  When a new STA associates with an AP frames are not encrypted -- even if WEP/WPA1/2/3 -- is enabled.  Initial handshakes are are open.  So anyone with a wireless NIC in packet sniffing mode can readily see the MAC addresses of STA's as they attemp to authenticate to the AP.  So a good paying customer does not need to knowing share their MAC address.  I can easily "sniff" it from the network, and then set my PC to use the same one.

 

There is nothing you can do on the AP, Omada, or switch level to stop this.  There might be 3rd part voucher solutions that are potentially more robust than what TP-Link offers.  But that's not my area of expertise.

 

-Jonathan

Hi @Hugh22,

 

I'm not sure how much time you spend manageing this.  But perhaps you have time if this is your business.  Is your network "Open" today, from a Wifi secuity perspective or are you using AES/WPA?

 

Many "public" wifi networks are "Open" because it is too much hassle to give users the password in addition to the voucher and even if there is a password often it never changes so once you know it you are good.

 

this link had an interesting idea:

add https community.ui.com/questions/Voucher-hotspot-based-guest-portal-open-or-WPA-wifi-security/819502a4-3342-402a-965d-9aa69c006edc

 

If you secure your networks with WPA2-PSK/personal.  And you change the password for the customer SSID every day (very simple, only takes a minute or so in Omada) -- you could change it evey few hours if you really wanted to.

 

Then when you print out the vouchers for each paying customer, print that day's WPA password on the voucher.

 

This way each paying customer needs two pieces of info to authenticate (password first, then voucher), and MOST of their network traffice will be encrypted.  This is more secure for your customers data, and significantly reduces the "foot print" of unencrypted network traffic making it moderately more difficult for a sniffer to pickup a good MAC address to spoof.

 

It doesn't prevent spoofing.  But cheats will need to get the password first in order to assoicate with the AP in order to use their spoofed MAC (which is associated with a good, non-expired voucher).

 

The more you can limit the duration of vouchers and liftime of the WPA password, the harder it will be for cheats to access the system.  And if they do, they will be cut off in an hour or two when their time runs out.

 

You could have, for example, multiple SSIDs -- up to 8 -- and randomly assign new vouchers to on of the SSID's with a hard to guess password that changes every day.  Print the voucher with the SSID, Password, and Voucher Code.  Of course this starts to become a lot of work.

 

Still, if you have a paying customer that knowingly shares his information, this "solution" won't help.  In this case DL/UL BW limitations and a voucher data cap is the best soln.  For example.  You bought 100GB.  i don't care how you use it, share it, but when it's used up you need another voucher.

 

I see many TP-Link customers from Asia and Europe using their products in a similar way to you.  It will be interesting to see if other users have come up with creative solutions.

 

-Jonathan

 

Hi @JSchnee21 thank you for this solution of my problem,thanks for the big help. ~Hugh22

@Hugh22 

 

I am from a very small town in the Philippines and I am using voucher system authentication so people near to my house could connect to my network. I discovered it myself that any authenticated device can share their connection through teathering or hotspot and I am very worried about this because I have data capping for my ISP. I just want to share that this kind of problem is just a tick box away using a simple SOHO router that costs much less than omada controller. I dont know if anyone here have tried MIKROTIK. It's very small but pwerfull and tons of configurations that you can do like dual ISP, voucher auth, vlans, pppoe, load balancing, qnd lot more. I hope this simple wifi teathering sharing problem of OMADA can be fixed. It's a lot of headache for people like me who is living with a limited data, and very low speeds (max of 30 Mbps and could drip to as low as 2 Mbps) tplink please help.