Solved: Re: Cisco ISE Guest WiFi MAC Spoofing

AndrewOReilly5585 · ‎11-03-2020

Hi,

We have our Guest WiFi as an open SSID that allows users to connect but they are then directed to the ISE Guest Portal and can't access anything on the network until they sign-in with their AD Credentials or create Guest Credentials.

This is Guest network with access to the Internet only for external devices and staff personal devices. We wanted to avoid putting a password on the SSID for user friendliness sake.

It was raised in a PEN test that because the SSID is open someone could connect to the Network and snoop traffic, spoof a MAC of a machine that has already been authenticated through the ISE Guest Portal and then they would be able to access the network.

I've read this post from 2018 basically and was wondering if anything had been developed in ISE to combat this or any suggestions on how to secure it without putting a password on the SSID - https://community.cisco.com/t5/network-access-control/ise-cwa-mac-spoof/td-p/3675338

Thanks,

Andy

Damien Miller · ‎11-04-2020

ISE alone is not a good tool to prevent mac spoofing. But the larger problem here is the traffic snooping on an open SSID. Even if you prevented spoofing of macs, it doesn't prevent open SSID snooping simply because that's a fundamental issue with unencrypted SSIDs. You don't even have to associate/connect to an open SSID to sniff and capture the unencrypted traffic from it, that traffic is traveling in open air.

In order to prevent snooping you need an encrypted SSID, not open. This has become less of an issue as more of the client traffic is TLS encrypted, but you will always be able to sniff the open SSID and capture traffic (just some of that will be encrypted by the client<>server, like https, ssh etc).

View solution in original post

Damien Miller · ‎11-04-2020

ISE alone is not a good tool to prevent mac spoofing. But the larger problem here is the traffic snooping on an open SSID. Even if you prevented spoofing of macs, it doesn't prevent open SSID snooping simply because that's a fundamental issue with unencrypted SSIDs. You don't even have to associate/connect to an open SSID to sniff and capture the unencrypted traffic from it, that traffic is traveling in open air.

In order to prevent snooping you need an encrypted SSID, not open. This has become less of an issue as more of the client traffic is TLS encrypted, but you will always be able to sniff the open SSID and capture traffic (just some of that will be encrypted by the client<>server, like https, ssh etc).

thomas · ‎11-08-2020

As Damien said you should consider using a 802.1X with your WiFi networks. ISE allows you to provide your guests usernames and passwords that they can use with 802.1X to authenticate to a secured Guest WLAN.

AndrewOReilly5585 · ‎11-09-2020

Thanks Damien,

So basically if our Internal Security Team aren't happy with the possibility of MAC Spoofing, however unlikely it is to happen, the only way to prevent this is to encrypt the SSID.

Thomas, the current process is: External User comes in the office > connects to Guest WiFi SSID without a password > is redirected to ISE Guest Portal > creates an account with their email address and password > access the network with that account.

Regards,

Andy