Solved: Cisco ISE with 802.1X EAP-TLS, MAC Spoofing Problem

newmanf · ‎06-14-2019

Hello,

I have question regarding of MAC address spoofing vulnerability, of already authenticated clients.

Lest say in my deployment I have, Cisco ISE and Cisco Cat2960X switches, and clients are authenticated by 802.1X EAP-TLS. And periodic re-authentication is set to 1 hour. Client is connected and authenticated successfully, after authentication someone spoof it MAC address, disconnect legitimate client and connect PC with spoofed MAC, which is MAC of already authenticated PC. (Port don't go down, because PC was connected over IP Phone, or there was HUB...) Does attacker PC have access to Network ? Does Cisco ISE or Cat2960X switches have protection again this king of attacks ?

Or does 802.1X have protection from this king of attacks ?

Thanks in advance,

Mike.Cifelli · ‎06-14-2019

Are your interfaces configured to support flexauth? If you only have 8021x enabled on your interfaces with no mab then there should not be an issue unless the attacker PC has a certificate to use for 8021x that ISE trusts and vice versa. What I mean by that is ISE would have to have the attacker chain in its trust store and the attacker PC would have to have the ISE chain in its trust store. There are several ways ISE can aide in deterring this type of attack. To name a few:
You can enable anomalous endpoint detection. Basically once ISE detects a change based on certain attributes it can force a CoA to shut the port down or quarantine the host. See https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html
You can rely on your ISE policies that you build out. What I mean by this is you can utilize conditions such as AD security groups, which would mean the host would have to be a member of AD. Or you could even simply rely on endpoint groups within ISE. However, with that you would need to enable mab.
You could rely on profiling and using certain attributes such as AD-Host-Exists equals true, or if the hostname obtained contains a certain string. See https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

And to answer this: Client is connected and authenticated successfully, after authentication someone spoof it MAC address, disconnect legitimate client and connect PC with spoofed MAC, which is MAC of already authenticated PC.
Unplug and re-connect bounces the port therefore forcing a new authentication session.

HTH!

View solution in original post

Mike.Cifelli · ‎06-14-2019

Are your interfaces configured to support flexauth? If you only have 8021x enabled on your interfaces with no mab then there should not be an issue unless the attacker PC has a certificate to use for 8021x that ISE trusts and vice versa. What I mean by that is ISE would have to have the attacker chain in its trust store and the attacker PC would have to have the ISE chain in its trust store. There are several ways ISE can aide in deterring this type of attack. To name a few:
You can enable anomalous endpoint detection. Basically once ISE detects a change based on certain attributes it can force a CoA to shut the port down or quarantine the host. See https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html
You can rely on your ISE policies that you build out. What I mean by this is you can utilize conditions such as AD security groups, which would mean the host would have to be a member of AD. Or you could even simply rely on endpoint groups within ISE. However, with that you would need to enable mab.
You could rely on profiling and using certain attributes such as AD-Host-Exists equals true, or if the hostname obtained contains a certain string. See https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

And to answer this: Client is connected and authenticated successfully, after authentication someone spoof it MAC address, disconnect legitimate client and connect PC with spoofed MAC, which is MAC of already authenticated PC.
Unplug and re-connect bounces the port therefore forcing a new authentication session.

HTH!

RobKoerts · ‎03-10-2023

What about this scenario?

The hacker removes the legitimate supplicant from the switch-interface, identifies its MAC-address, adds a simple switch or HUB to the switch-interface and reconnects the legitimate supplicant. Due tot the disconnect, the 802.1X authentication and authorization starts and the valid supplicant is authenticated once more. The hacker then spoofs the MAC-address on a malicious device, adds this device to the simple switch/HUB and removes the legitimate supplicant.

This way, the switch-interface will not detect an interface change (down/up) and will not register a new MAC-address. This probably means that it will not attempt to re-authenticate. Does this mean the malicious device now has access to the network?

Periodic re-authentication on the switch-interface can counter this behavior of course, and proper monitoring should recognize the behavior as malicious. But will this work?

Charlie Moreton · ‎03-10-2023

Resurrecting a 2-year old + thread that has an accepted solution limits the number of people that will take a look at it. The best thing to do is to start a new thread.

RobKoerts · ‎03-10-2023

Thanks! Willdo!