topic Re: MAB in ISE in Network Access Control

MAB in ISE

IbrahimElbagouri57340 — Wed, 20 Sep 2023 22:10:51 GMT

Hello All,

I have a question regarding ISE. We want to profile various devices in the IoT sector. These devices cannot use dot1x, so we are using MAB. My question is, what is the most efficient way to create these MAC groups? Is it sufficient to leave "Authentication open" on the switch under the respective interfaces so that the MAC address of the devices connected to these interfaces can be learned in ISE? Or does ISE also need to do something to register these unknown MAC addresses in the ISE database or profile them?

Re: MAB in ISE

Milos_Jovanovic — Thu, 21 Sep 2023 06:33:09 GMT

Hi @IbrahimElbagouri57340,

You are basically talking about 2 different things. One option for you is to do profiling, where you don't really care about MAC addresses and MAB (you could, in order to increase security, but it would be administrative burden), so devices can connect based on profile, something like "If device is HP printer or Lexmark printer then do something". Here you don't specify any MAC address or static endpoint group apart from endpoint profile (which is essentially endpoint group), which is learned dynamically by ISE. By doing profiling, ISE will assign certain MAC address into specific profile group, which is done dynamically. This gives you an option not to care when someone replaces printer, as new printer would probably be same vendor and it will have same profile signature.

Another option, which is more static, is to keep your own groups and input MAC addresses for each device. After that, you can invoke these groups under authorization, and work with them, as per your needs. Problem with this approach is that ig gets hard to maintain it with large environment - imagine you are retail shop, where you have so many different device types (POS terminals, IP cameras, different printers, etc.) and each one is maintained by different or even multiple subcontractors. Each time they need to replace a device, they would need to let you know about new MAC, but also about old one (to do cleanup), and this is slowing them down. Alternatively, if you have such system, ISE can be integrated with CMDB where this type of information can be stored in centralized way, so you wont need to maintain in multiple places.

Either way, you need to configure MAB authentication on ISE. Leaving it with authentication open option would essentially do nothing, as switch will not enforce any authentication.

Kind regards,

Milos

Re: MAB in ISE

thomas — Thu, 21 Sep 2023 14:45:24 GMT

Our recent webinar explains how MAB works. MAB simply establishes a RADIUS session without active authentication of an endpoint or user.

▷ MAC Authentication Bypass (MAB) with ISE 2023/07/20

00:30 Media Access Control (MAC) Addresses by the Byte
02:40 OUI & MAC Formatting
04:39 Network Authentication Options
05:45 Multi-Factor Authentication and IOT
06:14 RADIUS with 802.1X Flow
07:43 RADIUS with MAB Flow
09:15 RADIUS Packet Captures: Wired & Wireless MAB
12:00 ISE Segmentation Options with RADIUS
12:54 ISE MAB Authorization Solutions: Filtering, Profiling, Endpoint Groups, Custom Attributes, CMDBs
15:36 Frequently Used RADIUS Attributes Reference
16:26 ISE Secure Wired Access Deployment Guide for Cisco Catalyst Configuration
18:23 How To Integrate Meraki Networks with ISE
20:07 ISE Policy Set Authentication Default Behavior and Recommended Changes
23:00 ISE Policy Set Examples for MAB
23:34 Demo: ISE MAB Default Authentication Policy Behavior
Note: the MAB Authentication worked because ISE knew the MAC from previous failed auths!
27:03 - the MAB auth worked because the endpoint was known from the previous MAB failures
27:34 - MAB with If-user-not-found: Continue
28:24 ISE Local & Global Exceptions
29:11 MAC Filtering Authorization Rules using MAC_* Operators
30:04 Demo: Local and Global Exceptions
31:53 - ISE Endpoint Identity Groups
32:55 - Add/Remove Endpoints to Identity Groups
33:44 - Override Global Exception with Policy Set Local Exception
35:00 - Random MAC Address Filtering
35:53 - Matching with EQUALS vs MAC_EQUALS using :'s and -'s
37:59 - MAC OUI matching using MAC_STARTS operator
39:01 - MAC_* Operators in Authorization Rules
40:13 Demo: Static Endpoint Groups
41:06 - Endpoint Purging will remove endpoints from Endpoint Identity Groups!
42:39 - Profiling Raspberry Pis
44:58 ISE Endpoint Profiling & Demo
47:36 ISE Endpoint Custom Attributes & Demo
51:56 Configuration Management Database (CMDB) and Demo with iPSKs
56:50 Question: What is the best method to define a policy set? Spoiler: It depends!

Resources:
ISE Secure Wired Access Prescriptive Deployment Guide (https://cs.co/ise-wired)
How To Integrate Meraki Networks with ISE
RADIUS EAPTest Client (macOS only)
▷ 802.1X Simplification & Automation with IBNS 2.0

Profiling is separate and covered in another recent webinar:

▷ Getting Started with ISE Profiling 2023/09/05

00:35 Unknowns ... to Knowns ... to Classified
01:30 Audience Poll Questions
07:15 Organizational vs Behavioral Endpoint Source
08:35 Static Endpoint Groups, Endpoint Custom Attributes, and ISE pxGrid Direct with CMDBs
10:23 ISE Visibility Setup Wizard
10:54 ISE Context Visibility
11:38 Profiling : Sources ▹ Attributes ▹ Profiles ▹ Authorization Profiles ▹ Segmentation
15:14 ISE Profiling Probes Configuration
17:42 ISE Profiling Design Guide | https://cs.co/ise-profiling
18:40 Profiling Probe Selection Best Practice
20:30 Profiler Global Settings: RADIUS Change of Authorization (CoA)
24:12 Network Device Capabilities for Profiling: https://cs.co/nad-capabilities
25:48 Demo: Profiling Policies
27:12 Demo: Profiling Feed Service Online & Offline Updates
29:30 Demo: Review Updated Profiling Policies
31:08 Re-Profiling After Feed Updates
31:51 Customizing Profiling Policies : Global CoA vs Per-Profile CoA
35:15 Creating Profiling Policies
36:38 WiFi Edge Analytics for Catalyst Wireless Controllers (WLCs) with Apple, Intel, Samsung
39:52 AI-Proposed Profiling Policies
42:27 Demo: ISE AI Analytics for Profiling Proposals
46:12 AI Analytics - Advantage License Required (No Evaluation Support!)
47:48 ISE Profiling Integrations with Cisco Endpoint Analytics, Cisco CyberVision, Armis, Medigate, Ordr using pxGrid
50:00 Which Profiling Method is Best
52:55 ISE Endpoint Analysis Tool (EAT) | https://iseeat.cisco.com | End of Support
54:39 Profiling APIs and Automation | https://cs.co/ise-api | profilerprofile, endpoint, endpoints, customattributes
56:35 ISE Community & Resources

ISE Profiling Design Guide :
ISE Profiling Design Guide : https://cs.co/ise-profiling
TECSEC-3416 Walking on Solid ISE : https://cs.co/ise-training#CiscoLive
ISE Security Ecosystem Integrations : https://cs.co/ise-guides