topic Re: ISE profiling and MAC address spoofing mitigation in Network Access Control

ISE profiling and MAC address spoofing mitigation

wiong — Wed, 20 Feb 2019 02:26:04 GMT

I am googling around trying to confirm on ISE profiling and mitigation against MAC address spoofing but I have not find a confirmed answer.

When a device connects, get profiled and identified what it is, the ISE screen will show up the endpoint information including what is this endpoint (Cisco IP phone, Ricoh printer, etc). Even if the device is subsequently disconnected, I can still see it on the ISE screen although it shows that it is disconnected. If I now plug a device into the network and spoofed that endpoint MAC address, will ISE re-profile again or just let the device in since it has been profiled previously and still in the ISE DB with the MAC address intact?

I read somewhere in ISE document that when a device has been profiled (which may takes several seconds initially), ISE will cache the information so that subsequently, when the endpoint reconnects again, the network connectivity establishment is faster since it does not need to re-profile again? If this is the case, anyone can easily get into the network by just spoofing the MAC address.

Re: ISE profiling and MAC address spoofing mitigation

Mohammed al Baqari — Wed, 20 Feb 2019 03:51:57 GMT

Hi,

If the device parameters change and the new ones sent to ISE (for example
in radius message while the switch is configured for device sensor), ISE
will reprofile the endpoint. The profile isn't one time activity, it keeps
checking whenever the device sends radius attributes to the it and in case
of changes, new profile is assigned.

Re: ISE profiling and MAC address spoofing mitigation

wiong — Wed, 20 Feb 2019 04:01:58 GMT

Hi Mohammed,
So if I configured the switch as a device sensor using RADIUS and let's say the ISE profiling identified the endpoint as a Cisco IP phone using the TLV parameters. Now a rouge device spoofed it's MAC address but does not advertise the TLV value connects to the switch, the switch will send a RADIUS request again to ISE, ISE will re-profile the endpoint, checked the TLV value is changed and block the switch port to this rouge endpoint?

Re: ISE profiling and MAC address spoofing mitigation

Mohammed al Baqari — Wed, 20 Feb 2019 07:32:57 GMT

Yes this is correct.

Re: ISE profiling and MAC address spoofing mitigation

BrianPersaud — Thu, 08 Aug 2019 16:50:38 GMT

I had the same question. I tested the scenario with a Cisco IP phone and a laptop. After the IP phone was profiled, I disconnected it from the network and then set the mac address on the laptop to the same as the IP phone. I was able to authenticate successfully using the laptop with the exact authorization profile as the ip phone. It classified the laptop as an IP phone based on the information it had cached previously. The laptop was assigned to the voice vlan and had all the permissions on the network.

Re: ISE profiling and MAC address spoofing mitigation

wiong — Mon, 12 Aug 2019 02:28:14 GMT

Seems like ISE cannot re-profile it again when the MAC address has been stored in the MAB. This is a potential security vulnerability?!

Re: ISE profiling and MAC address spoofing mitigation

BrianPersaud — Tue, 13 Aug 2019 15:00:30 GMT

I retested after enabling Enable Anomalous Behaviour Detection and Enable Anomalous Behaviour Enforcement along with the appropriate authorization policy. I set the laptop to use the mac address as the IP phone. It worked as expected to deny the laptop from accessing the network.

Re: ISE profiling and MAC address spoofing mitigation

wiong — Thu, 19 Sep 2019 01:32:36 GMT

Hi Brian,

How did you got it to work? Did the spoofing device advertise a different TLV value or etc? I am testing it but ISE did not re-profile even when I enable anomalous detection and enforcement. I spoke to TAC, TAC says that because the spoofing device did not send TLV value, ISE did not trigger re-profiling.. To me, isn't that consider a change in the profile coz there is no TLV for the same device that was earlier profiled successfully using OUI + TLV? A simple notebook can easily spoof the MAC address without even installing any 3rd party tools.

Re: ISE profiling and MAC address spoofing mitigation

BrianPersaud — Thu, 19 Sep 2019 12:40:10 GMT

Hi Here are the configs I used on the switch for 802.1x. It is possible that it is using device sensor for your question about TLV. I tested on a 3650 and 3850 switches with IOS 16.6.6 with ISE 2.4 Patch 9. Note I am also doing SNMP probe, a local port ACL and CoA.

aaa authentication login default group radius local
aaa authentication enable default enable group radius
aaa authentication dot1x default group radius
aaa authorization exec default local group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client 10.x.x.x server-key 7 xxxxxxxxxxxxxx
server-key 7 xxxxxxxxxxxxx
aaa session-id common
dot1x system-auth-control
dot1x critical eapol
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius server ISE01
address ipv4 10.x.x.x auth-port 1812 acct-port 1813
key 7 xxxxxxxxxxxxx

snmp-server group SNMP_GROUP v3 priv
snmp-server user SNMP_USER SNMP_GROUP v3 auth sha xxxxxxxxxx priv aes 256 xxxxxxxxxx
snmp-server host 10.x.x.x version 3 priv SNMP_USER
snmp-server enable traps snmp linkdown linkup
device-sensor accounting
device-sensor notify all-changes
authentication mac-move permit
access-session template monitor

ip access-list extended PORT-ACL-DEFAULT
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit udp any any eq tftp
permit tcp any host 10.x.x.x eq 8443
deny ip any any

interface gi 1/0/1

description XXXXX
switchport access vlan XXXXX
switchport mode access
switchport voice vlan xx
ip access-group PORT-ACL-DEFAULT in
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

Re: ISE profiling and MAC address spoofing mitigation

Colby LeMaire — Thu, 19 Sep 2019 18:40:34 GMT

ISE will re-profile only if new parameters are received. So if you spoof a MAC and you don't send anything else, ISE has no new information to re-profile with. Absence of information is not enough to trigger ISE to profile it again.

Be careful with Anomalous Detection and Enforcement. It has issues and there are some bugs filed on it. For example, a Windows PC running Skype will send a DHCP message with a class identifier of the OS and will also send DHCP messages with a class identifier of MS-UC-Client. Since the class identifier changes, ISE marks it as an anomalous endpoint. One of my customers had every Windows client marked as anomalous. With enforcement turned on, that would deny them all.

It is normal for a client to send multiple DHCP class identifiers. That's how browsers do automatic proxy detection, software phones detect their SIP servers, etc. ISE needs to account for that. The DHCP RFC clearly explains the use of different application-specific class identifiers.

Re: ISE profiling and MAC address spoofing mitigation

BrianPersaud — Fri, 20 Sep 2019 11:35:09 GMT

Thanks @Colby LeMaire good to know about the issues with Anomalous Detection and Enforcement. I did have the DHCP identifier issue on profiling Polycom phones. The packet capture showed they were sending the Polycom identifier then the MS-UC-Client for skype for business. Ended up doing a custom condition for this. I will monitor the windows PC's to see if this issue occurs for skype for business client.

Re: ISE profiling and MAC address spoofing mitigation

MS-JK — Thu, 14 Nov 2019 22:44:21 GMT

Having the same issues on dot1x workstations that have machine cert validation AND AD membership validation. I'm able to take MAC of a dot1x workstation previously validated and authenticate without CERT. The spoof machine even has different HOSTNAME. Yet I'm fully able to spoof get on the network. Bit scary. I'm on ISE 2.3p6 and anomaly detection is enabled. (not even seeing the spoofed machine/mac detected by the detection enabled.

Anyone found good documentation on this? Serious flaw within ISE unless there is something I'm not doing?

Thanks

Re: ISE profiling and MAC address spoofing mitigation

Colby LeMaire — Thu, 14 Nov 2019 23:59:38 GMT

Are you connected behind an unmanaged switch or hub so that the Cisco switch isn't detecting the link state change? I assume that is what you are doing since any link state change would force a new authentication. If you are doing this behind some device to keep the link state up, then one option to combat that is to use reauthentication. If someone really wants to get in, they will. They can spoof the MAC and intentionally not send any new profiling data or anything that could trigger profiling. In that case, your only option to mitigate it is with reauthentication every so often. The Department of Defense (Network STIG) requires a reauthentication timeout of every hour (60 minutes) for that reason. Defense needs to be layered. Always assume someone can break in if they want. Your goal for security is to make it harder and harder by having multiple layers that need to be broken before anything of value can be obtained. Increase the window of time that would be required for an attacker to get anything so you increase the odds of someone catching them.

Re: ISE profiling and MAC address spoofing mitigation

MS-JK — Fri, 15 Nov 2019 00:52:54 GMT

You bring up a good point. So the good guy was connecting to SWITCH1 (managed) and the bad guy was connecting to SWITCH2 (managed) different port - direct connection. Which is even more alarming. ISE detected the new machine (simple linux machine with spoofed MAC and different hostname) and gave it same access as the connected good guy's machine.

With that said 2 tests were done. ONE printer (MAB) and one WIN10 (Dot1x). The printer - port did bounce as its directly connecting but spoofing machine (even with the different hostname) assumed same ISE auth/author profile of the previously connected printer - and again without any Anomalous Behavior detected.

Re: ISE profiling and MAC address spoofing mitigation

BrianPersaud — Fri, 15 Nov 2019 15:24:18 GMT

Hi do you have the authorization policy enabled to block the devices when the behavior is detected?

Re: ISE profiling and MAC address spoofing mitigation

MS-JK — Wed, 20 Nov 2019 21:53:33 GMT

There is nothing to block - it didn't even DETECT it. Right now - this is a serious flaw with ISE. Anyone can become a dot1x authenticated user with machine cert and AD validations with a simple 10 second MAC spoof? ISE didn't even see it on host change, no NMAP is re-initiated, no re-profile is initiated. Scary - why would we recommend ISE to anyone if this holds true? I'm hoping I'm wrong.

Re: ISE profiling and MAC address spoofing mitigation

AMoore1776 — Fri, 28 Feb 2020 19:59:01 GMT

So what command needs to be running on the switch interface?

Re: ISE profiling and MAC address spoofing mitigation

Parag Mahajan — Sun, 01 Mar 2020 00:05:01 GMT

In your first scenario, "You bring up a good point. So the good guy was connecting to SWITCH1 (managed) and the bad guy was connecting to SWITCH2 (managed) different port - direct connection. Which is even more alarming. ISE detected the new machine (simple linux machine with spoofed MAC and different hostname) and gave it same access as the connected good guy's machine."

How is first guy connecting through dot1x or MAB . If it connecting using dot1x and then bad guy connecting to switch 2 may spoof MAC address but he will not get access as he does not have dot1x crendetials (Cert or user/password).

In second scenario "ONE printer (MAB) and one WIN10 (Dot1x). The printer - port did bounce as its directly connecting but spoofing machine (even with the different hostname) assumed same ISE auth/author profile of the previously connected printer - and again without any Anomalous Behavior detected."

It does work as long as both type of endpoints getting correctly profiled. Win10 at should have got profiled as at least as 'workstation' and printer should have profiled as 'printer' then only ISE can detect and enforce ABD.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html

Re: ISE profiling and MAC address spoofing mitigation

nayan29net — Thu, 20 Aug 2020 23:02:03 GMT

On our production network we have Anomalous Behavior Detection enabled, but Enforcement is disabled.

What would be the impact if I enable the Enforcement as well and Change CoA type to Re Auth instead of No CoA.

Also,

What is the best practice for profiling an endpoint?

We generally try to avoid just using OUI or MAC address alone?

Is it wise to use DHCP Parameter Request List or NMAP Port Scan Result?

Re: ISE profiling and MAC address spoofing mitigation

nayan29net — Thu, 20 Aug 2020 23:09:12 GMT

@Mohammed al Baqari

On our production network we have Anomalous Behavior Detection enabled, but Enforcement is disabled.

What would be the impact if I enable the Enforcement and Change CoA type to Re Auth instead of No CoA.

Also,

What is the best practice for profiling an endpoint?

We generally try to avoid just using OUI or MAC address alone?

Is it wise to use DHCP Parameter Request List or NMAP Port Scan Result?

Also why two printer with same OUI/Different Model Provide different attributes?

I have some ricoh printer which provide precise details like

hrDeviceDescr

RICOH Aficio SP 4210N

sysDescr

RICOH Aficio SP 4210N 1.02 / RICOH Network Printer C model

Where some does not provide any concrete information

They provide dhcp-parameter-request-list which is not necessary indication if its printer devices