Showing results for 
Search instead for 
Did you mean: 

Detecting endpoint-hosted virtual machines?


This is my first time posting to the community at-large.. please be gentle.

I've been working with ISE 2.3 for about two weeks so my apologies in advance if this is a dumb question. We're performing a bake-off with multiple NAC solutions and one of the evaluation criteria is the ability to detect and enforce network access restrictions on guest virtual machines hosted on otherwise approved endpoints. For example, assume a known Windows endpoint connects to the network and is subsequently authenticated and permitted access to the network. That same endpoint them starts a Kali Linux virtual machine and starts pen-testing the internal network. I realize there's an entire ecosystem of solutions meant to detect this "east-west' activity but my question is can a standalone implementation of Cisco ISE (no Stealthwatch, no PxGrid, etc) detect the presence of a hosted virtual machine based on information reported by the access device (netflow, cdp, lldp, etc)? Our access devices for the tests are a 4500x (03.08.01 universal k9) and a 3750x (15.0.2-SE11 universal k9).

I've been reading day and night and I can't seem to find a straightforward answer on this subject. Granted, I'm just getting started with 802.1x and NAC concepts in general.




Cisco Employee
Cisco Employee

Hi there

Unless I completely misunderstood your question please note the following

Kali Linux supports 1x auth

Cisco switches Support multi auth

This feature supports multiple hosts on the same network port



Sent from my iPhone

Thanks Ahmed,

The muti-auth option seems to work well for daisy-chained scenarios (switch->ip phone->pc) and bridged VMs. I think the concern here is the use of unauthorized virtual machines NAT'd behind an authenticated endpoint; using VMware workstation or VirtualBox for example. In that situation, I'm not sure how the NAC could distinguish the physical host from the guest VM, barring some form of packet analysis.



You would need to install anyconnect posture module (system scan) on the endpoints to block them from doing this, this would be out of compliance

Thanks Jason, that appears to be the general consensus in most of my other research. With out some endpoint assessment / enforcement agent, there doesn't appear to be a method for detecting NAT'd virtual systems.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: