Can a Radius server mitigate an ARP spoofing attack?

Question

I'm helping my school network administrator to try to find a way to mitigate a current ARP spoofing attack on our wifi network. We detected an unknown host (MAC address seem to change, he is probably using mac-changer or something similar) sending forged ARP into the network.

After some discussion, we agree to use a freeradius authentication server to make it easy to discover who is at the origin of the attack.

But as I'm not a security specialist (only an enthusiast) and don't know a lot about the Radius protocol, I wondered if the freeradius server could mitigate an another ARP spoofing attack (if someday another student decided to try this kind of attack again), and how to configure it to do so.

Answer 1

No.

Let me give you a real life scenario example. Let's say you are going to use JumpCloud to manage your RADIUS. You have to create users and then those users are going to login with their JumpCloud's username/password. If among your users there is a disgruntle employee/student once he/she is logged in he/she can still perform an ARP spoofing attack and you need to investigate anyway.

While you investigate you can see that the ARP spoofing is coming from IP address 10.58.0.240 using the MAC address 98:01:a7:b3:7e:ef but you cannot tell if that machine was put on the network by Alice, Bob, Mike, etc...

So you cannot tell who is the disgruntle employee/student.

EDIT: The countermeasure you can take is this: setup an IDS (Intrusion Detection System) that can be hardware (Barracuda) or software (Snort, Suricarta) that will push out of the network the machine that is performing the ARP Spoofing.