Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
1
Helpful
6
Replies

Cisco ISE - NAC Bypass

acapit
Level 1
Level 1

‎05-28-2024 03:18 AM - edited ‎05-28-2024 03:36 AM

Hey, 

Is there anyway to protect from potential attackers that are using NAC bypass? 

for example
https://github.com/scipag/nac_bypass

If you have a solution I will be more than happy to hear.

0 Helpful
6 Replies 6

ahollifield
VIP
VIP

‎05-28-2024 11:16 AM

Profiling?  Anonymous endpoint detection?  Or a third-party profiling utility such as Ordr?  

0 Helpful

acapit
Level 1
Level 1
In response to ahollifield

‎05-28-2024 12:01 PM

Don't think you understood me.

You can't do Profiling if you look at the link I sent  under the "Use" section you will understand why.

Anonymous endpoint detection? you are talking about  Anomalous Endpoint Detection? It won't capture that. 
ORDR? most likely won't capture that also.

 

0 Helpful

ahollifield
VIP
VIP
In response to acapit

‎05-28-2024 12:22 PM

Yes, sorry misspelling.  Why wouldn't Ordr catch that in SPAN?  The OS would appear different post "hack".  I also fail to see why profiling wouldn't work here either?  Unless you are only using a DHCP probe?  

0 Helpful

acapit
Level 1
Level 1
In response to ahollifield

‎05-28-2024 01:28 PM - edited ‎05-28-2024 01:58 PM

Nothing I do will matter though imagine that the Raspberry Pi acts as a bridge meaning you won't see the "Rogue" or the Suspicous endpoint, you will only see the authenticated endpoint. I will give you a better example you will also see one mac address coming from that port and that mac address will be the legitimate endpoint. 
I just dont understand how profiling will work though mind giving me an example?. I don't see the Rogue device it's invsible for me and the switch.
If you want I can link you posts of red teams that did the bypass and they explain how they did it. 

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎05-28-2024 02:48 PM

It's an L1/L2 man in the middle (MITM). Unclear how it works when initially plugged in - although it probably just does not respond. MACsec is the best solution for this.

Arne Bier
VIP
VIP

‎05-28-2024 03:21 PM

@acapit - is this a theoretical concern, or why are you investigating this?  It's no secret that MAB is an insecure form of authentication. Just because it falls under the umbrella of "NAC" doesn't mean that it makes network access secure. The clue is in the word "Bypass". It bypasses the real security mechanism, which is 802.1X.  And 802.1X is secure because it relies on the client playing its part in the security dance.  It takes two to tango!  If the client has a supplicant then use it. EAP methods such as EAP-TLS and EAP-TTLS are probably the best form of barrier to entry on a network. And then you should disable MAB.   How realistic is it to disable MAB in most networks?  Not very, but that's the reality.  If the client supports wireless, then rather go wireless because you get security as part of the authentication method.

As for MACsec - I have not seen this used on end clients, but the client needs extra software to make this work (e.g. Cisco's AnyConnect).  At that point, if it's a semi-smart device, you probably have 802.1X on the endpoint anyway - just use that instead.  

MAB == insecure.  It's a reality.  It falls on the rest of the network to then try "protect" those untrusted segments, using other detection tools like Netflow, ACLs, Firewals, AVC, DPI, etc.  Security In Depth.  And to be fair, even with 802.1X, the chances of someone spoofing a certificate on a rogue device are low (but not impossible), all of those security mechanisms won't go amiss either.

0 Helpful
Customers Also Viewed These Support Documents