https://community.cisco.com/t5/network-access-control/detecting-endpoint-hosted-virtual-machines/m-p/3555294#M511658 <HTML><HEAD></HEAD><BODY><P>Hi there</P><P></P><P>Unless I completely misunderstood your question please note the following</P><P></P><P>Kali Linux supports 1x auth</P><P>http://www.keyboardbanger.com/configuring-authentication-kali-linux/</P><P></P><P>Cisco switches Support multi auth</P><P>https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-802x-multi-auth.html</P><P></P><P>This feature supports multiple hosts on the same network port</P><P></P><P></P><P>Thanks</P><P>Ahmed</P><P>Sent from my iPhone</P></BODY></HTML> Mon, 12 Mar 2018 16:45:00 GMT afahmy 2018-03-12T16:45:00Z https://community.cisco.com/t5/network-access-control/detecting-endpoint-hosted-virtual-machines/m-p/3555293#M511657 <HTML><HEAD></HEAD><BODY><P>This is my first time posting to the community at-large.. please be gentle.</P><P></P><P>I've been working with ISE 2.3 for about two weeks so my apologies in advance if this is a dumb question. We're performing a bake-off with multiple NAC solutions and one of the evaluation criteria is the ability to detect and enforce network access restrictions on guest virtual machines hosted on otherwise approved endpoints. For example, assume a known Windows endpoint connects to the network and is subsequently authenticated and permitted access to the network. That same endpoint them starts a Kali Linux virtual machine and starts pen-testing the internal network. I realize there's an entire ecosystem of solutions meant to detect this "east-west' activity but my question is can a standalone implementation of Cisco ISE (no Stealthwatch, no PxGrid, etc) detect the presence of a hosted virtual machine based on information reported by the access device (netflow, cdp, lldp, etc)? Our access devices for the tests are a 4500x (03.08.01 universal k9) and a 3750x (15.0.2-SE11 universal k9).</P><P></P><P>I've been reading day and night and I can't seem to find a straightforward answer on this subject. Granted, I'm just getting started with 802.1x and NAC concepts in general.</P><P></P><P>Thanks,</P><P>SP</P></BODY></HTML> Mon, 12 Mar 2018 14:48:50 GMT https://community.cisco.com/t5/network-access-control/detecting-endpoint-hosted-virtual-machines/m-p/3555293#M511657 SeanP 2018-03-12T14:48:50Z https://community.cisco.com/t5/network-access-control/detecting-endpoint-hosted-virtual-machines/m-p/3555294#M511658 <HTML><HEAD></HEAD><BODY><P>Hi there</P><P></P><P>Unless I completely misunderstood your question please note the following</P><P></P><P>Kali Linux supports 1x auth</P><P>http://www.keyboardbanger.com/configuring-authentication-kali-linux/</P><P></P><P>Cisco switches Support multi auth</P><P>https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-802x-multi-auth.html</P><P></P><P>This feature supports multiple hosts on the same network port</P><P></P><P></P><P>Thanks</P><P>Ahmed</P><P>Sent from my iPhone</P></BODY></HTML> Mon, 12 Mar 2018 16:45:00 GMT https://community.cisco.com/t5/network-access-control/detecting-endpoint-hosted-virtual-machines/m-p/3555294#M511658 afahmy 2018-03-12T16:45:00Z https://community.cisco.com/t5/network-access-control/detecting-endpoint-hosted-virtual-machines/m-p/3555295#M511659 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: #575757;">Thanks Ahmed,</SPAN></P><P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: #575757;"><SPAN style="font-family: Arial, sans-serif;">The muti-auth option seems to work well for daisy-chained scenarios <SPAN style="font-family: Arial, sans-serif;">(switch-&gt;ip phone-&gt;pc) </SPAN>and bridged VMs. </SPAN>I think the concern here is the use of unauthorized virtual machines NAT'd behind an authenticated endpoint; using VMware workstation or VirtualBox for example. In that situation, I'm not sure how the NAC could distinguish the physical host from the guest VM, barring some form of packet analysis.</SPAN></P><P></P><P>Thanks,</P><P>SP</P><P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: #575757;"><BR /></SPAN></P><P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: #575757;"><BR /></SPAN></P></BODY></HTML> Mon, 12 Mar 2018 17:11:11 GMT https://community.cisco.com/t5/network-access-control/detecting-endpoint-hosted-virtual-machines/m-p/3555295#M511659 SeanP 2018-03-12T17:11:11Z https://community.cisco.com/t5/network-access-control/detecting-endpoint-hosted-virtual-machines/m-p/3555296#M511660 <HTML><HEAD></HEAD><BODY><P>You would need to install anyconnect posture module (system scan) on the endpoints to block them from doing this, this would be out of compliance</P></BODY></HTML> Mon, 12 Mar 2018 23:22:35 GMT https://community.cisco.com/t5/network-access-control/detecting-endpoint-hosted-virtual-machines/m-p/3555296#M511660 Jason Kunst 2018-03-12T23:22:35Z https://community.cisco.com/t5/network-access-control/detecting-endpoint-hosted-virtual-machines/m-p/3555297#M511661 <HTML><HEAD></HEAD><BODY><P>Thanks Jason, that appears to be the general consensus in most of my other research. With out some endpoint assessment / enforcement agent, there doesn't appear to be a method for detecting NAT'd virtual systems.</P></BODY></HTML> Tue, 13 Mar 2018 17:22:10 GMT https://community.cisco.com/t5/network-access-control/detecting-endpoint-hosted-virtual-machines/m-p/3555297#M511661 SeanP 2018-03-13T17:22:10Z