topic Re: Is there any way to prevent new MAC to be added to internal endpoi in Network Access Control

Is there any way to prevent new MAC to be added to internal endpoints

EHNET — Fri, 03 Mar 2023 18:43:46 GMT

We are trying to using MAB and existing internal endpoints as a whitelist ( I know it is not secure enough) to prevent new mac to access network. So I want anything that is not in internal endpoint to be rejected at authentication phase.

Is there anyway to achieve this ? I tried to remove a mac from internal endpoint, but ISE will automatically add it back after it reconnected.

I also know that I can achieve same goal by using authorization and putting trusted MAC into an ID group then use this group as condition. But the problem is how to auto add new MAC into this ID group ? Is there anyway to set conditions, for example any new MAC learnt from a specific named NAD to be added into this group? This is a dynamic environment, manually adding MAC into group is not feasible.

What I want is using a trusted switch as an onboarding platform to learn new MAC and add these MAC to a trusted ID group, keep them in that group. Later, these MAC would connect to other switches, as they already included in that ID group, they can be authorized and access the network.

My interface config is as follows:

device-tracking attach-policy ISE_Track
ip access-group ACL-DEFAULT in
authentication control-direction in
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab

Re: Is there any way to prevent new MAC to be added to internal endpoi

ahollifield — Thu, 02 Mar 2023 19:18:40 GMT

Why not reject at authorization phase? Accomplishes the same thing. What exactly are you trying to do? Just MAB only? Are your "trusted" MAC addresses in an Endpoint ID Group?

Endpoint Purge rules could satisfy what you are trying to accomplish.

Re: Is there any way to prevent new MAC to be added to internal endpoi

balaji.bandi — Thu, 02 Mar 2023 19:21:20 GMT

you can add MAC entries in to ISE and create a profile, so only MAC address will be allowed, rest will be rejected.

Re: Is there any way to prevent new MAC to be added to internal endpoi

EHNET — Thu, 02 Mar 2023 19:25:52 GMT

Thanks for the reply. We just want to use whitelisted MAC as NAC, that's it. And designate a trust device to add new mac to internal endpoint.

I know I can do this at authorization with trusted id group. But how do I auto populate this group ? Besides manually importing ?

Re: Is there any way to prevent new MAC to be added to internal endpoi

EHNET — Thu, 02 Mar 2023 19:32:42 GMT

sorry, can you please elaborate more ? Do you mean assign trusted mac into an id group ?

Re: Is there any way to prevent new MAC to be added to internal endpoi

ahollifield — Thu, 02 Mar 2023 19:36:10 GMT

Create Endpoint ID group. Add MAC addresses to Endpoint ID Group. Specify Endpoint ID group as a condition in the Authorization policy, passing the necessary attributes. Set Default Authz policy to deny.

Use profiling if you don't want to manually add each MAC address to the group. Also prevents some MAC spoofing attempts too. Required Advantage Licensing.

Re: Is there any way to prevent new MAC to be added to internal endpoi

EHNET — Thu, 02 Mar 2023 19:44:24 GMT

Thanks a lot. I already know the first portion that you mentioned.

So I can using profiling to let a trusted NAD as a source to populate that ID group ?

Re: Is there any way to prevent new MAC to be added to internal endpoi

ahollifield — Thu, 02 Mar 2023 19:48:22 GMT

No. Profiling is endpoint condition specific. So ISE will authenticate/authorize anything that looks like a printer, AP, thin client, or whatever. No static MAC address lists needed.

https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456

Re: Is there any way to prevent new MAC to be added to internal endpoi

EHNET — Thu, 02 Mar 2023 20:18:20 GMT

So looks like you cant use properties from network device such as location or name in the profiling process

Re: Is there any way to prevent new MAC to be added to internal endpoi

ahollifield — Thu, 02 Mar 2023 20:23:02 GMT

I mean you can use the NAD properties in the Authorization policies to give differentiated access. What exactly are you trying to solve? If a device is trusted (profiled, 802.1X, Static endpoint ID group, etc.) why does it matter what NAD the endpoint is connected to?

Re: Is there any way to prevent new MAC to be added to internal endpoi

EHNET — Thu, 02 Mar 2023 20:52:16 GMT

I updated my description in my post. I want to just use MAC as the only source to control access. Because there are tons device types in our network, using profiling adds too much overhead to operation. So I want to use mac whitelist here, but that list need to be auto populated

Re: Is there any way to prevent new MAC to be added to internal endpoi

ahollifield — Thu, 02 Mar 2023 20:59:27 GMT

Auto populate? What would be your source of truth? What would determine whether or not a device should be trusted? What is your concern with profiling "overhead"? Profiling removes the need for you to manually manage Static Endpoint ID Groups.

Re: Is there any way to prevent new MAC to be added to internal endpoi

EHNET — Thu, 02 Mar 2023 21:01:00 GMT

That's what I am asking if this is doable in ISE. Something like putting a device in a device group, any new mac learned from the NAD in this group will be added into a trusted ID group.

Re: Is there any way to prevent new MAC to be added to internal endpoi

Arne Bier — Thu, 02 Mar 2023 21:04:59 GMT

It's clear by now that ISE will "collect" every MAC address of every endpoint from Switches/WLC/VPN that send their RADIUS requests to ISE. That's how ISE populates its Context Visibility Database. ISE has no idea which of these endpoints are important to you. That decision can be done "automatically" by profiling (assigning endpoints to certain profiles of interest, e.g. printers, Windows-10 PCs, etc.) or manually - the manual method involves either clicking around in ISE Context Visibility and setting the Endpoint Profiles or even the Endpoint Identity Group - but it's a very laborious process. You can also export the Endpoint database, and do this manipulation in a spreadhseet. Or, if you're clever enough, do it via REST API. Either way, there has to be some logic/reasoning applied that a machine can understand if you want this association to happen. Profiling is your best bet.

Re: Is there any way to prevent new MAC to be added to internal endpoi

ahollifield — Thu, 02 Mar 2023 21:09:25 GMT

But why? What makes this particular NAD trustworthy? What stops someone from plugging anything into this particular NAD? What about other NADs in your environment?

Re: Is there any way to prevent new MAC to be added to internal endpoi

EHNET — Thu, 02 Mar 2023 21:17:41 GMT

Because we could have control who can plug anything into this trust NAD.

Existing MAC will be imported into an ID group.

Any new MAC that is not in the ID group will be rejected.

Only new MAC that learnt from this NAD will be auto added into this ID group( This's what I am asking if this doable)

Re: Is there any way to prevent new MAC to be added to internal endpoi

ahollifield — Thu, 02 Mar 2023 21:37:41 GMT

Then why deploy NAC at all if you can 100% guarantee that your NADs have trusted devices? Or is it just this one NAD? Also plugging into one specific NAD is enough of a criteria to quantify device trust?

Re: Is there any way to prevent new MAC to be added to internal endpoi

Charlie Moreton — Thu, 02 Mar 2023 21:58:48 GMT

How about creating a new Profiling Condition? Use the NAS IP Address for the condition

And then add a new Profiling Policy

Have fun with Randomized MAC Addresses 🙂

Re: Is there any way to prevent new MAC to be added to internal endpoi

EHNET — Fri, 03 Mar 2023 00:47:05 GMT

Thanks for your suggestion. I guess the method here can assign MAC to an ID group when it is connected to that specific switch. But when the same MAC connects to another switch. That MAC wont be in that ID group any more.

Re: Is there any way to prevent new MAC to be added to internal endpoi

EHNET — Fri, 03 Mar 2023 00:49:07 GMT