Solved: Cisco ISE - MAB Cloning Attack

LKL4 · ‎01-19-2022

Hello team,

Im using Cisco ISE 2.7 and i want to know something about guest auth. So, guest auth use mab to authenticate n the network... let's suppose that i discover one MAC of a guest user that is connected, If I clone this MAC and try to connect to the guest network, what will the behavior be? Has anyone had this experience?

Greg Gibbs · ‎01-19-2022

If the Remember Me option is used for Guest, any subsequent connections using the registered MAC address (like a spoofed one) would be permitted access until the endpoint MAC address is purged. Endpoints that use random MAC addresses can complicate these flows.

I tested this scenario and, as I suspected, the original endpoint connected to my guest WLAN lost connectivity when my 'attacker' endpoint connected with the same spoofed MAC address (without being redirected to the Guest portal).

I'm not sure, however, what value (other than kicking the original endpoint off) a threat actor would gain from spoofing the MAC and getting access to the guest network. The guest network should be treated as untrusted and segmented from any trusted networks/resources. Any users/endpoints requiring access to corporate resources from the guest network, should require a secure connection method (e.g. VPN, VDI, etc.) that implements other security controls like MFA, device health, etc.

Most customers I have worked with use the guest network for internet-only connectivity and anchored the WLAN to the DMZ (for Wireless) or used VRF/VXLAN mechanisms (for Wired).

View solution in original post

Arne Bier · ‎01-19-2022

Hello @LKL4

What a great question. I haven’t tried that myself. In theory it sounds like ISE would handle the cloned device as if it were the real thing, but I have a feeling it will fail, since the session ID of the clone will be different and unique. This causes ISE to have two session IDs for the same MAC address. It’s weird and I suspect ISE would throw an error.

Have you tested this ?

LKL4 · ‎01-19-2022

Hello @Arne Bier,

I didn't test it because at the moment i don't have a lab environment. Let's see if anyone in the community knows or has experienced this.

Marcelo Morais · ‎01-19-2022

Hi @LKL4 ,

please take a look at the following post: MAC Move Question.

Hope this helps !!!

Greg Gibbs · ‎01-19-2022

If the Remember Me option is used for Guest, any subsequent connections using the registered MAC address (like a spoofed one) would be permitted access until the endpoint MAC address is purged. Endpoints that use random MAC addresses can complicate these flows.

I tested this scenario and, as I suspected, the original endpoint connected to my guest WLAN lost connectivity when my 'attacker' endpoint connected with the same spoofed MAC address (without being redirected to the Guest portal).

I'm not sure, however, what value (other than kicking the original endpoint off) a threat actor would gain from spoofing the MAC and getting access to the guest network. The guest network should be treated as untrusted and segmented from any trusted networks/resources. Any users/endpoints requiring access to corporate resources from the guest network, should require a secure connection method (e.g. VPN, VDI, etc.) that implements other security controls like MFA, device health, etc.

Most customers I have worked with use the guest network for internet-only connectivity and anchored the WLAN to the DMZ (for Wireless) or used VRF/VXLAN mechanisms (for Wired).