Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
5
Helpful
7
Replies

CDP/LLDP for Dot1x in NAD(Switch) running with vulnerable/MITM

Go to solution
oumodom
Level 1
Level 1

‎01-27-2025 08:40 PM - edited ‎01-27-2025 10:52 PM

Dear Cisco expert,

Currently, I have testing lab and found that CDP/LLDP protocol is the unsecure protocol for showing raw info between switch to ISE server. Since the info could be benefit for attacker view the  OS, IP, version within switch and endpoint. 

Could someone advise for alternative way fostering CDP/LLDP in secure manner or alternative secure protocol replace CDP/LLDP?

Please note that, we build the endpoint/IoT device profile manually with OUI and MAC address with Closed Mode deployment in this lab. 
Thank you, 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎01-27-2025 10:39 PM

Disabling CDP/LLDP on access interfaces is one approach. But these protocols are also very useful for MAB profiling.  Even if the mgmt IP address and IOS version is available to a wannabe attacker, it doesn't mean that they will find it any easier to get into that device, if you secured it correctly if access lists on the VTY, using the strongest ciphers on the SSH server (or SSH keys, or certs, etc.) - I'd be loath to disable CDP/LLDP on the access layer, because of its rich source of profiling data of endpoints (APs, cameras, phones, etc.).  

Just my 2c worth.

MACsec is an option but I don't know many endpoints that support MACsec.  it's hard enough doing NAC with 802.1X/MAB, let alone adding MACsec onto the mix.  But it sounds great in theory.

View solution in original post

7 Replies 7

Go to solution
M02@rt37
VIP
VIP

‎01-27-2025 09:36 PM - edited ‎01-27-2025 09:38 PM

Hello @oumodom 

See to integrate a pxGrid server with yor cisco ISE could serve as a secure alternative to CDP/LLDP for device profiling and contextual information sharing in your network. 

With pxGrid, ISE becomes the central point for gathering and distributing endpoint and device profiling data. It operates over secure mTLS connections.

Alternative: use MACsec to encrypt traffic between switches, ensuring that even if CDP/LLDP frames are intercepted, they cannot be exploited...

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
Arne Bier
VIP
VIP

‎01-27-2025 10:39 PM

Disabling CDP/LLDP on access interfaces is one approach. But these protocols are also very useful for MAB profiling.  Even if the mgmt IP address and IOS version is available to a wannabe attacker, it doesn't mean that they will find it any easier to get into that device, if you secured it correctly if access lists on the VTY, using the strongest ciphers on the SSH server (or SSH keys, or certs, etc.) - I'd be loath to disable CDP/LLDP on the access layer, because of its rich source of profiling data of endpoints (APs, cameras, phones, etc.).  

Just my 2c worth.

MACsec is an option but I don't know many endpoints that support MACsec.  it's hard enough doing NAC with 802.1X/MAB, let alone adding MACsec onto the mix.  But it sounds great in theory.

Go to solution
oumodom
Level 1
Level 1
In response to Arne Bier

‎01-27-2025 11:16 PM - edited ‎01-28-2025 12:02 AM

Thank @Arne Bier M02@rt37  for the answer of my inquiry. 

Have you ever experience with Dot1x on closed mode with MACsec? 
Does MACsec working well with DACL and IoT device like Printer, Camera..? How to identify which IoT support MACSec? 
Does MACsec required license add-on or it is feature just enable on NAD device? 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to oumodom

‎01-28-2025 12:41 AM

I think MACsec doesn’t require any special licence in ISE. But best check the ISE Licenaing Guide on the web.

As for experience with MACsec - I have never used it or seen it used. It makes sense to use it between switches. But in my opinion, makes life a nightmare at the access layer. If you think 802.1X is hard to get supported on endpoints , then MACsec is even less supported. You will have support with PC running AnyConnect - but apart from that I don’t know any clients that support it.

We should all be striving to get EAP and certificate authentication working on endpoints. If you have EAP-TLS or TEAP deployed on your endpoints then you’re doing pretty well as far as network authentication goes. Why complicate matters ? You will have to deal with dumb IOT devices that have neither MACsec nor 802.1X

Go to solution
oumodom
Level 1
Level 1
In response to Arne Bier

‎01-28-2025 01:32 AM - edited ‎01-28-2025 01:32 AM

FYI, as my lab there is Multi-Auth and also information from endpoint/IoT  device still be plain text (EAPoL) even we enable MACSec. 

So MACSec doesn't the matter of choice for solution. 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/17-13/configuration_guide/sec/b_1713_sec_9200_cg/macsec_encryption.html 

oumodom_0-1738056519851.png

oumodom_1-1738056655015.png

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎01-27-2025 11:02 PM

You could also disable the transmission of CDP/LLDP on access interfaces. That should still allow switch to receive those hellos from endpoints to assist in ISE profiling. 

Go to solution
oumodom
Level 1
Level 1
In response to Arne Bier

‎01-27-2025 11:17 PM

I think it may get less info from NAD to ISE to identified profiling if we disable LLDP. 

0 Helpful
Customers Also Viewed These Support Documents