topic Re: Ethernet ghosting Cisco ISE bypass in Network Access Control

Ethernet ghosting Cisco ISE bypass

oumodom — Wed, 25 Dec 2024 08:01:59 GMT

Dear Cisco ISE lover,

Currently, I have testing lab for the scenario of Ethernet ghost.
That is the most concerns which we can leverage existing user for gather sensitive information, and command and control.

What the another concerns related, if attacker can spoof the MAC address of legitimate user as notice attack can take benefit from existing session, then they can connect network without posture scan (This attacker machine no any Cisco secure Client agent).

Note: We use EAP-TLS and EAP-FAST with Posture check compliant.
Please share me the fix solution.
Thank you,

Re: Ethernet ghosting Cisco ISE bypass

ccieexpert — Wed, 25 Dec 2024 15:33:10 GMT

Hello

ISE / switch authenticated on a per port basis, so if port 1 has a user authenticated, only that mac address is allowed on port 1, and if another users spoof the mac address on port 2, they wont be allowed as only port1/mac1 is authorized. there is also features like anamolous behavior detection to detect if same mac address shows different attributes to block access.

also, if the user is using a different port, then they have to go through a full EAP/posture authentication even if they do mac spoofing..

https://community.cisco.com/t5/security-blogs/cisco-ise-and-anomalous-behavior-detection-how-it-works/ba-p/4700300

**Please rate as helpful if this was useful **

Re: Ethernet ghosting Cisco ISE bypass

oumodom — Thu, 26 Dec 2024 02:45:50 GMT

I think you can't catch my concerns well,
Please refer to this link https://www.immunit.ch/blog/2022/10/26/ethernet-ghosting-nac-bypass/

Re: Ethernet ghosting Cisco ISE bypass

ccieexpert — Thu, 26 Dec 2024 23:37:35 GMT

you are right, most NAC solutions will allow this. But this means that needs a full physical compromise. If it is a user port, they will need access to the wall port . One thing that might help a bit is period authetnication and also periodic posture evaluation, just to verify the trusted machine is still there and active.

Re: Ethernet ghosting Cisco ISE bypass

oumodom — Fri, 27 Dec 2024 01:55:10 GMT

Thank for your information, @ccieexpert
What if we have insider threat bring HUB into cooperate network, it is the most concerns.
How to prevent or detect this kind of attack.

Re: Ethernet ghosting Cisco ISE bypass

oumodom — Fri, 27 Dec 2024 11:24:47 GMT

@ccieexpert Do you have alternative solution to detect or resolve this bypass?

Re: Ethernet ghosting Cisco ISE bypass

thomas — Tue, 07 Jan 2025 19:49:12 GMT

MACsec should solve the problem so the switch and endpoint have an encrypted session. https://cs.co/ise-berg#macsec

This is hardware capability of the network device and the endpoint (or software with Cisco AnyConnect, now Secure Client) and has nothing to do with ISE since it is simply the AAA server.