topic Re: Profile Transitions and the use of Exception Actions in Network Access Control

Profile Transitions and the use of Exception Actions

jitendrac — Tue, 24 Sep 2024 02:10:06 GMT

How to avoid mac spoofing in MAB using Profiling Transitions and the use of Exception Actions

We have ISE 3.3 Patch 3 deployed for one of our customer. For wired printer we are using MAB. For authentication and authorization, we are using the profiling service of PSN. Below is the policy set created

Policy Set Name - IL-Wired-MAB
Condition – Default Wired_MAB
Authentication Policy - IL-MAB
Condition – Default Wired_MAB
if User Not Found – CONTINUE
if Process Fail – DROP)Use Internal Endpoints
(if Auth Fail – CONTINUE
Authorization Policy - Printer MAB
Condition – End Points Logical Profile EQUALS Printer
Authorization Profiles – IL_Printer (Printer Vlan)

We can see ISE PSN has successfully profiled some printer with Canon Device (CF=10) and some printer with Canon Printer (CF=40)

However, when we connect the laptop to the printer port, with a MAC address spoof. Laptop gets successfully authenticated and authorised with Canon Device profile. (OUI Match)

When we looked at the Canon Devie profile, it just matching the OUI of the MAC Address.

PSN is has following probes enabled

RADIUS
DHCP
HTTP
DNS
AD

We are not using device sensor as Cisco C1000 is not supporting Device Sensor Feature.

RADIUS is not of use as the Printer does not support 802.1x. DHCP is not of use as the printer has an IP address statically configured.

Is there any way I can stop MAC Address spoofing method to bypass ISE NAC solution.

I read about Profile Transitions and the use of Exception Actions to restrict

Where we can take action with new device profile learned on printer port.

But I'm not sure how to configure it. Can anyone suggest to me how to restrict unauthorised access to wired printer using Profile Transition and Exception

Re: Profile Transitions and the use of Exception Actions

MHM Cisco World — Tue, 24 Sep 2024 04:23:03 GMT

This not relate to ISE I think

The port with single host allow only one Mac in data domain, here I think your SW use multi host and hence more than Mac allow in port.

MHM

Re: Profile Transitions and the use of Exception Actions

Aref Alsouqi — Tue, 24 Sep 2024 15:21:02 GMT

I think you are referring to ISE Anomalous Behaviour Detection and Enforcement. However, based on what you described probably Anomalous Behaviour wouldn't help in this case because if the printers profile looks only at the OUI of the MAC address then it will be less likely a profile change would happen when the spoofed MAC address is connected.

Also, the fact the the printer and the spoofing laptop are connected in the same way to the network that will also make Anomalous Behaviour feature less effective. Finally, if the spoofing laptop is also statically assigned an IP, then Anomalous Behaviour feature won't be able to trigger any flag on this as both the printers and the spoofing laptop have same characteristics.

What I think you can do though would be to open up the printer endpoint attributes page in ISE, try to look at all the collected attributes, and then you can go and edit Canon profiling policy by adding some of those attributes that would be unique to the printers.

In that case when the spoofing laptop tries to impersonate the printer it won't be "in theory" able to match all the profile conditions, and accordingly it won't be profiled as a printer, although it does have the same MAC address as the printer.

ISE profiling policies work with the certainty levels, so if the profile has a single condition then there is no way to try to build up any increment to the certainty level. However, if the profile has three conditions, then you can configure it in a way to sum up the conditions values to the certainty level. For instance, you can configure the profile to have a certainty level of 30 and have three conditions, one will be the OUI with a value of 10, another something else (an attribute from the endpoint attributes page) with a value of 10, and the third with something else (an attribute from the endpoint attributes page) with a value of 10. In this case all three conditions must match before a device is profiles with that profile.

Re: Profile Transitions and the use of Exception Actions

jitendrac — Tue, 24 Sep 2024 17:33:46 GMT

Hi Aref,

Thanks for your response. When i read ise-profiling-design-guide. I came to know the concept of Profile Transitions and Exception Actions.
It is mentioned as " it is possible that an endpoint will transition from an Unknown profile to a specific profile (for example, Apple-iPad). The transition may occur in one update, but often the transition occurs in steps as new profile data is acquired from the network (for example, from Unknown to Apple-Device, and then from Apple-Device to Apple-iDevice, and finally to Apple-iPad). Although not as common, it is also possible for “negative” profiling data to be received for an endpoint that results in a transition from a more-specific profile to a less-specific parent profile, or a completely different profile altogether. Regardless of the type of profile transition, a profile change may impact the Authorization Policy rule matched when the endpoint re-authenticates to the network "

Exception Actions
Exception Actions are the means by which ISE Profiling Services trigger a response to a profiling event or state change.
Now,

What I understood is that when the MAC address is already profiled as Canon- Device with just OUI filed (CF=10) by PSN and when spoofing laptops is connected. Profiling should change from Canon- Device to Windows 11 workstation because Windows workstation will generate a lot of packets related to RADIUS, DNS, and DHCP that PSN can capture to know that the profile has transitioned from Canon- Device to Windows 11 workstation. And now, when ISE observes a profile change, we can take action using Exception.

In exception Action we can apply different profile and for that profile we can set restricted access in authorization policy.

Is my understanding correct ?

Re: Profile Transitions and the use of Exception Actions

Arne Bier — Tue, 24 Sep 2024 20:47:01 GMT

We need to remind ourselves that MAB is inherently non-secure. In other words, as its acronym MAB suggests, it's bypassing secure authentication. MAC spoofing is easy, as you've already discovered. But here are some tips:

Use DHCP instead of static IPs. Come one. Really, Static IPs are so 1980's and there is no benefit to using them (don't let people convince you that DHCP is problematic - people who say that are either lazy or don't understand how to setup DHCP) - static IPv4 makes more work and causes more issues down the road. Setting up a DHCP server (even on a Cisco router if you have to) is so simple. A bit of effort and some planning can help a lot. The benefit of DHCP is that printers (or devices in general) send a lot of valuable data in the Discovery packet. That is a great start for profiling. It's NOT security, but it's a profiling aid.

If you're stuck with static IPs then the next best thing for printers is enabling SNMP probing from ISE. But it must be SNMPv1/2 (not v3). This should be easily done, and it will give ISE sysObjectID, or sysDescr etc to make profiling more accurate. Yes of course the hacker can spoof an SNMP agent - see my initial point about MAB being "no security at all". Where there's a will, there's a way!

Finaly, if you want security, there is only one option. Put a cert on the printer and make it talk 802.1X EAP-TLS. Even my $50 Canon home printer from the supermarket supports this. Put a 5 year cert on there if you have to. The point being, that's going to be super hard to spoof an RSA cert with 2048 bit key length (at least).

Security doesn't come easy. Some hard work will be involved. My suggestion would be to start with DHCP and SNMP which will make profiling quite accurate and make spoofing harder.

Re: Profile Transitions and the use of Exception Actions

jitendrac — Wed, 25 Sep 2024 13:55:49 GMT

Thanks, Arne, for your Response,

We will try to push the customer to use DHCP. Or at least allow PSN to do Active Probes like NMAP scan or SNMP Query.
However, I was wondering why I can't use ISE's Profile Transitions and Exception Actions feature to detect Spoof MAC.
If attacker spoof MAC of printer and connect on same printer port at that point Attacker Laptop/Machine will start generating some interstating traffic like DNS, HTTP. ISE PSN can now detect that same MAC address profile is now transition from canon-printer to windows workstation so let's take an action on this behaviour using User-Defined OR System Defined Exception Action where we can apply different Profile Policy OR Initiate COA to bounce the port. (As per document it is mentioned that Exception Actions are the means by which ISE Profiling Services trigger a response to a profiling event or state change.)
I am just trying to understand if this will work to detect Spoof MAC ?

Re: Profile Transitions and the use of Exception Actions

jitendrac — Wed, 25 Sep 2024 14:07:01 GMT

Hi Aref,
I think Cisco ISE Anomalous Behavior Detection should work.
I just watched this video and as per this Cisco ISE Anomalous Behavior Detection can detect MAC Spoof OR Profile Change
https://www.youtube.com/watch?v=OP1BGzTGWJw

Re: Profile Transitions and the use of Exception Actions

Aref Alsouqi — Wed, 25 Sep 2024 14:13:04 GMT

You are welcome. It depends on the other profile config. For instance, if Windows workstation profile is configured with multiple conditions, but all of them rely on DHCP traffic then that profile won't be matching the traffic coming from the spoofing laptop because it is assigned an IP statically, so no DHCP traffic will be sent from that laptop. And because of this, there will be no profile or profiling state change from ISE point of view. Also, in a scenario where ISE would have two profiles and both of them would match, I think in that case the profile with the higher certainty level will take precedence. For instance, if Windows profile matches the traffic coming from the spoofing laptop, and that profile happens to have a certainty level higher than Canon profile then the spoofing laptop would be profiled as a Windows workstation. The change of behaviour that would be used by ISE Anomalous behaviour would apply on an endpoint that came to ISE as something, and then it now came as another thing. For instance, if the Canon printer was configured in DHCP and was profiled as a Canon printer, and then the spoofing laptop tried to impersonate it then yes that would be detected by ISE because in this case the MAC address would be the same, but the DHCP attributes and collected data from DHCP traffic would be totally different.

Re: Profile Transitions and the use of Exception Actions

MHM Cisco World — Wed, 25 Sep 2024 16:04:38 GMT

"" MAC Address spoofing""are you sure??

Did you check mac address in SW do you see one Mac or two connect to port

MHM

Re: Profile Transitions and the use of Exception Actions

Arne Bier — Wed, 25 Sep 2024 20:49:37 GMT

@MHM Cisco World the question is not about two concurrent MAC addresses on the port, but rather, two different devices, each connected on-at-a-time, but also having the same MAC address - the bad actor takes the MAC address of a valid device to try to get access to the network.

@jitendrac ISE Anomaly detection does work as Hari's video shows, but it does rely on the clients using DHCP, because that is how ISE can tell a Windows OS from a Linux OS (for example) - it uses the DHCP client identifier data. It's not very clear what other mechanisms Anomaly Detection uses to do its job, but I have a customer who has thousands of anomalies, and when I investigate them, ISE says it was due to Windows 10 => Windows 10. Makes no sense.

I have seen another legitimate case of Polycom desk phones that boot up using a Microsoft IP stack (sends out DHCP with client-identifier = MSFT), initialise themselves and then few seconds later sends out another DHCP identifying itself as Polycom. In my opinion that is just bad implementation of that vendor product, but the reality is that ISE detected that as anomalous and would take action on that legitimate device, if I had enabled Enforcement. But I never enabled Enforcement because of false positives. Which basically renders this feature useless to me - sadly. I don't think Cisco has made enough fanfare about this feature and they have not explained it well enough, or given us enough parameters to tune. Hari's video makes it look so appealing and simple, but the reality is quite different.

Re: Profile Transitions and the use of Exception Actions

MHM Cisco World — Thu, 26 Sep 2024 19:53:45 GMT

the bad actor takes the MAC address of a valid device to try to get access to the network. <<- this point I want to be sure about' is SW see one MAC or two

MHM

Re: Profile Transitions and the use of Exception Actions

Arne Bier — Thu, 26 Sep 2024 20:14:49 GMT

The switch sees one MAC address because only one device is attached to the switch. If the bad actor uses a Windows OS, they can modify the MAC address to be whatever you want it to be. Usually, bad actors will use a Linux based OS which can do the same thing. The Ethernet frame that is sent out of the bad actor's network adapter will have a customised source MAC address. This is what is called MAC spoofing. And obviously the bad actor removes the genuine device from the network, and plugs their own modified device into the network, masquerading as the good devices. 1 MAC address.

Re: Profile Transitions and the use of Exception Actions

MHM Cisco World — Thu, 26 Sep 2024 21:15:36 GMT

I need confirming from him'

He mention ISE see same Mac but never check SW.

It can simple issue with simple solution

MHM

Re: Profile Transitions and the use of Exception Actions

jitendrac — Fri, 27 Sep 2024 02:48:13 GMT

Hi MHM Cisco World
I am referring to scenario as mentioned by Arne "bad actor removes the genuine device from the network, and plugs their own modified device into the network, masquerading as the good devices MAC"
Of course Switch has lots of Port Security feature to avoid/Stop MAC spoofing but i an referring bad actor removes the genuine device from the network, and plugs their own modified device into the network, masquerading as the good devices MAC

Re: Profile Transitions and the use of Exception Actions

MHM Cisco World — Fri, 27 Sep 2024 09:40:24 GMT

Still search but some point I get want to share it here

Device sensor not available' so ISE use Mac in radius to get OUI that why both endpoints have same OUI (assuming laptop use same mac of printer).

MHM

Re: Profile Transitions and the use of Exception Actions

Arne Bier — Fri, 27 Sep 2024 20:52:54 GMT

@MHM Cisco World you're barking up the wrong tree mate. I don't know what part of this you don't understand. MAC spoofing is the most basic thing in the world. Your last question about "why both endpoints have same OUI ?" - obviously they'd have the same OUI if the first three bytes of the MAC address is the same - that's what defines the OUI. And MAC address spoofing has nothing to do with device sensor. The switch is not aware that MAC spoofing is going. on.

The original question from @jitendrac was about how to handle the detection of such events, and we answered that already - ISE Anomalous Detection. And this only works if DHCP is involved, since ISE has profiled the MAC address using DHCP as being a Windows PC, and then next time it sees the same MAC address it's a Linux OS. That triggers anomalous detection and a Global Exception in ISE can do stuff to that - watch the YouTube video for an example. I maintain, that this is still flawed, because you can't assume that DHCP is always involved. And Anomalous Detection (in my experience) has flaws (false positives) and the mechanisms used for detection and comparison are not well enough documented. Perhaps the solution lies elsewhere - e.g. using NetFlow record analysis to detect anomalous behaviours - send your client interface NetFlow records to a clever system that can detect the anomalies, and then have that system integrate with ISE pxGrid to quarantine the interface. That would be harder and more expensive, but most likely have better outcomes.

Re: Profile Transitions and the use of Exception Actions

jitendrac — Sun, 29 Sep 2024 04:43:29 GMT

We did some testing in the environment

Here is the result of testing

The printer is on the network
ISE learns the profile of the printer we get "canon-device" in Matched Policy and End Point Policy in Context Visibility.
We spoof the MAC address of the printer assigned to the laptop, remove the printer, and connect the computer to the printer switch port.
We get access to a network.

This is the problem we are discussing.

However, I do not get access to the network if I delete the MAC address from context visibility when connecting the same laptop with a spoof MAC address. This time, Context Visibility shows Windows11-Workstation as Matched Policy and End Point Policy.

This indicates if the MAC address is already profiled and if a new device with the same MAC address comes with a different expected profile. ISE does not change the old profile OR override that old profile with a new one.

This looks like my Endpoint Profile Change feature is not working as expected. Maybe I am missing some configuration.

I want to understand following. Let me know if there are any documentation or Cisco Live Webinar that are covering this topic

When ISE populates the Context Visibility First Time - Does its populate As soon as Profile matched with CF Score OR will it wait for certain duration till it do not see other Profile coming on same port with same MAC but more CF score ?
What if 2 different profile with same CF matched ? Which one ISE will take as final to mentioned in Context Visibility ?
Where to define Exception Action ? Do we have to configure Exception Action in already learned Profile ?

Re: Profile Transitions and the use of Exception Actions

MHM Cisco World — Sun, 29 Sep 2024 12:06:01 GMT

the Printer use below attributes
-OUI <<- since ISE use mac to get OUI and mac is same then this useless
-DHCP Class Id <<- this sure you can use it via ip dhcp relay
-SNMP DeviceDescr <<- you dont have sensor so you can use it

Re: Profile Transitions and the use of Exception Actions

Aref Alsouqi — Tue, 01 Oct 2024 09:40:51 GMT

@jitendrac wrote:

However, I do not get access to the network if I delete the MAC address from context visibility when connecting the same laptop with a spoof MAC address. This time, Context Visibility shows Windows11-Workstation as Matched Policy and End Point Policy.

Still with a static IP assigned to that spoofing laptop? if so, that shouldn't happen as the spoofed OUI belongs to Canon. However, if you open up the spoofing laptop page on ISE and you go to the attributes page it should show you all the attributes collected and from there you can see how and why the laptop was profiled as a Windows 11 workstation. If there are two profiles matching an endpoint, the one with the higher certainty will be applied, and if an endpoint was already profiled as something, ISE won't change its profile unless a higher certainty is hit from another profile.

Also, please take a look at this guide focused on ISE profiling:

ISE Profiling Design Guide - Cisco Community

Re: Profile Transitions and the use of Exception Actions

jitendrac — Tue, 01 Oct 2024 09:52:38 GMT

Thanks MHM ,

I will check if the customer can allow us to use NMAP scan and SNMP query on the endpoint