topic Profiling based on MAC Address... in Network Access Control

Profiling based on MAC Address...

rezaalikhani — Wed, 03 Jan 2024 07:57:57 GMT

Hi all;

Consider a scenario where I want to profile an unknown device with MAC Address parameter of the endpoint. In this regard, we have two options, as show below:

As my testing experience, if I choose OUI, I must provide the exact name (not something like OUI STARTWITH AA:AA:AA) of the vendor that has registered the address with IEEE. Right?

Now, if I choose MACAddress, something with MACADDRESS STARTWITH AA:AA:AA is valid for matching policy?

Thanks

Re: Profiling based on MAC Address...

ahollifield — Wed, 03 Jan 2024 14:15:56 GMT

Why use only MAC address? Why not also use DHCP or Device Sensor? MAC address / OUI only is really prone to MAC spoofing attacks and doesn't provide much security.

Re: Profiling based on MAC Address...

Karsten Iwen — Wed, 03 Jan 2024 14:21:25 GMT

If you only want to match the vendor-ID, you don't need to use the Profiler. You can directly use a condition in your authorization policy:

Re: Profiling based on MAC Address...

MHM Cisco World — Wed, 03 Jan 2024 14:49:34 GMT

I think he facing host with not correct IP' and he decides to use mac profile.

@rezaalikhani am I correct?

His last post mention that the host show not correct IP' and he accpet solution that there is two vlan.

For me that can be if wrong IP is in different vlan not same one.

If it different vlan (subnet) then there are two vlan one before authz and other after authz.

And the ISE list authz host with IP from vlan before authz.

If both correct and wrong IP in same subnet then there is issue in dhcp profile attribute.

That what I think

MHM

Re: Profiling based on MAC Address...

rezaalikhani — Wed, 03 Jan 2024 18:25:31 GMT

I can not use DHCP because the endpoint needs to be assigned static IP address and cannot use Device Sensor because the switch does not support this functionality...

Re: Profiling based on MAC Address...

rezaalikhani — Wed, 03 Jan 2024 18:28:19 GMT

Thanks for your reply;

Interesting but does not answer my questions...

Thanks anyway

Re: Profiling based on MAC Address...

rezaalikhani — Wed, 03 Jan 2024 18:32:29 GMT

Thanks for your reply;

As @hslai said, the NAD correctly submits the IP addresses of the second VLAN using RADIUS Accounting Interim Updates but as the NAD does not send it using RADIUS Authentication Request again, ISE does not show the new IP address in its authentication report...

Re: Profiling based on MAC Address...

MHM Cisco World — Wed, 03 Jan 2024 18:41:08 GMT

Yes friend that case if we use radius attribute profile not dhcp profile.

Anyway I will make double check and update you.

Thanks alot

MHM

Re: Profiling based on MAC Address...

rezaalikhani — Mon, 08 Jan 2024 17:13:54 GMT

Any ideas?

Thanks

Re: Profiling based on MAC Address...

MHM Cisco World — Mon, 08 Jan 2024 17:52:10 GMT

I have idea
you can use DHCP profile
and add static IP to host using it clinet-id or MAC
here when DHCP assign IP to host it send copy to ISE
MHM

Re: Profiling based on MAC Address...

hslai — Tue, 09 Jan 2024 03:34:16 GMT

@rezaalikhani

Your ideas are correct.

On OUI, take a look at the Cisco Provided Profiler conditions based on it.

On MAC Addresses, I used your condition with ISE 3.2 and it worked! ISE appears to normalize the MAC addresses to dot-separated and all cap.