Solved: Re: MAB everywhere??

dennis.tobias1 · ‎08-28-2019

I am wondering what everyone is doing for situations beyond the traditional IP Phone and PC configuration when it comes to ISE. Are you using MAB for every other device on your network? I have a ton of devices (OT, Room Managers, AP's, label printers, barcode scanners, etc.) that I want to keep tabs on. In order for profiling to really do its job, do I need to enable MAB everywhere that 802.1X can't be used?? Note that a number of these devices have static IP's. I want to have visibility into every IP-enabled device on my network (to include NAD and port the device is connected to), but I only really want to be able to take action on a limited number of the ports/devices.

Thanks in advance.

Mike.Cifelli · ‎08-28-2019

My opinion on your scenario:
I would try to do 8021x with eap-tls on whatever devices support it. I know this will not work for every device you have. However, I know that some newer models of printers are actually capable of supporting it. For the other IoT devices I would recommend enabling mab and using flexauth on your NADs. As far as profiling goes make sure your MCF for custom profiling policies is higher than the out-of-the-box Cisco ones. My tip would be to identify the main attributes you want to use, and then build out parent & child policies accordingly. One last thing, if you are concerned about MAC spoofing consider using anomalous detection (see: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html). Only downside is you cannot tweak what it looks for, as far as I know it is all or nothing. Good luck & HTH!

View solution in original post

Mike.Cifelli · ‎08-28-2019

My opinion on your scenario:
I would try to do 8021x with eap-tls on whatever devices support it. I know this will not work for every device you have. However, I know that some newer models of printers are actually capable of supporting it. For the other IoT devices I would recommend enabling mab and using flexauth on your NADs. As far as profiling goes make sure your MCF for custom profiling policies is higher than the out-of-the-box Cisco ones. My tip would be to identify the main attributes you want to use, and then build out parent & child policies accordingly. One last thing, if you are concerned about MAC spoofing consider using anomalous detection (see: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html). Only downside is you cannot tweak what it looks for, as far as I know it is all or nothing. Good luck & HTH!

dennis.tobias1 · ‎08-28-2019

Thanks, Mike. That's what I was afraid of. I am coming from a different EVC/NAC platform that would essentially give me the same information about an endpoint with or without dot1x/mab enabled which required very little in terms of switch config to get working.

Thanks again.

Jason Kunst · ‎08-28-2019

ISE requires active RADIUS sessions to do anything

Colby LeMaire · ‎08-28-2019

Remember you can use Monitor Mode (authentication open) on a port-by-port basis along with FlexAuth as others have stated. That gives you the visibility and time to create your policies for devices that can't do 802.1x. With Monitor Mode, you can see whether the device would pass or fail authentication but the switchport stays open at all times regardless. So the end device/user would never know the port was configured for authentication. Then as you are comfortable, you can remove "authentication open" from the ports where you are confident the policies will work and start enforcing access.

Most of my customers will start doing 802.1x with the obvious devices like PCs and phones and then do MAB for everything else. You can then use the ISE reports to identify the next big group/category of devices to tackle with policies and potentially dACL's. For example, let's say the next big category of devices is Cisco Wireless AP's. You can continue to do MAB until you configure the WLC/AP's to do 802.1x with EAP-FAST. Once you see them all authenticating good, then remove the MAB rule for AP's. Maybe printers are next. Work your way down the list by tackling the groups based on total numbers.

And even though some devices like printers may support 802.1x, there may not be a centralized way of managing the printers' configurations so maybe 802.1x doesn't make sense in that case. Wouldn't want to have to visit hundreds of printers to manually configure each one. It is a balance between security and operations.

jordanburnett · ‎08-30-2019

I just recently finished a "deploy 802.1X on as many devices as possible" type of Wired 802.1X engagement. This particular customer did NOT have any kind of Wired 802.1X in place prior to ISE implementation, thus we were working backwards to discover which devices supported 802.1X as well as what particular EAP type they supported.

We ended up with a hodgepodge of different EAP types (EAP-FAST with TLS inside for Windows and Tesira devices, EAP-MD5 for some legacy IP Cameras, PEAP for Cisco Telepresence Devices, PEAP for Printers). We found certain devices that allowed installing only ONE certificate for trusting EAP servers (in which case, if you use GoDaddy you'll almost always require an intermediate certificate as well). We ended up with MAB whitelists or MAB w/profiling for the outlier devices. Most of those outliers were behind locked doors, so not as huge of a vulnerability as if they were on public ports or had their MAC addresses visible.

If the customer doesn't have 802.1X in mind from the purchasing decision forward, it can be a nightmare. We had many AV endpoints that didn't have the proper time synced (due to not having a DNS server set), and thus they failed 802.1X during TLS tunnel establishment due to invalid certificate validity constraints.