06-11-2021 01:34 AM
Folks,
We have one requirement coming up on our NAC with Cisco ISE.
We did test something like ensuring only applicable devices are able to connect to the network.
e.g. with a Polycom phone we have done a match with vendor MAC OUI. However, what is someone tries to spoof a Polycom MAC address and gets access to the network?
How would I get the best recommendation for an issue like this?
Regards,N!!
Solved! Go to Solution.
06-11-2021 05:32 PM
You are using the weakest form of identity to identify your phone by MAC address.
0) Actually authenticate your IP phones with 802.1X using certificates or username:password. For most modern equipment, this is not a technology issue but a political issue: your telecom/phone people will probably never configure 802.1X because it is not a "priority" or whatever euphemistic language you want to justify not doing it.
So let's pretend your phones will never be authenticated with 802.1X...
1) Lock down your ISE Authorization Profile to minimize your attack surface. If it is a phone, specify the voice VLAN and the IP(s) and port(s) of your Call Manager or whatever the device needs to communitcate with and nothing more. So if a spoofer spoofs, they are not given voice VLAN + permit ip any any.
2) Monitor post-admission behavior. ISE does not care about endpoint network behavior after authorization so you will need another security application to monitor NetFlow traffic analytics like Cisco Secure Network Analytics (formerly known as StealthWatch) to know what is typical for a phone and what is not. Anomalies may be reported to ISE for immediate quarantine or denial.
3) Rely on more than just the MAC. Use ISE Profiling to dynamically determine the device type using a combination of network attributes (CDP, LLDP, DHCP, etc.). The more attributes used, the harder it is to spoof. Not impossible, but harder.
06-11-2021 02:00 AM - edited 06-11-2021 02:01 AM
However, what is someone tries to spoof a Polycom MAC address and gets access to the network?
This is always security risk any product not only with Cisco ISE. so you need to explore other option if any other activity detected in the network with this MAC Address ? (in your network if you have any IPS/ Stealthwatch can detect this and Block). as you mentioned this is Only Phone (maximum gain of access for the Voice VLAN).
check below thread good discussions :
https://community.cisco.com/t5/network-access-control/ise-how-to-prevent-mac-spoofing/td-p/2239157
https://densemode.com/2020/02/10/case-study-combating-mac-address-spoofing-in-access-networks/
06-11-2021 05:32 PM
You are using the weakest form of identity to identify your phone by MAC address.
0) Actually authenticate your IP phones with 802.1X using certificates or username:password. For most modern equipment, this is not a technology issue but a political issue: your telecom/phone people will probably never configure 802.1X because it is not a "priority" or whatever euphemistic language you want to justify not doing it.
So let's pretend your phones will never be authenticated with 802.1X...
1) Lock down your ISE Authorization Profile to minimize your attack surface. If it is a phone, specify the voice VLAN and the IP(s) and port(s) of your Call Manager or whatever the device needs to communitcate with and nothing more. So if a spoofer spoofs, they are not given voice VLAN + permit ip any any.
2) Monitor post-admission behavior. ISE does not care about endpoint network behavior after authorization so you will need another security application to monitor NetFlow traffic analytics like Cisco Secure Network Analytics (formerly known as StealthWatch) to know what is typical for a phone and what is not. Anomalies may be reported to ISE for immediate quarantine or denial.
3) Rely on more than just the MAC. Use ISE Profiling to dynamically determine the device type using a combination of network attributes (CDP, LLDP, DHCP, etc.). The more attributes used, the harder it is to spoof. Not impossible, but harder.
07-06-2023 12:41 PM
So, question, what if you want to use 802.1x for authentication?
We have folks who are taking new phones out of boxes, putting them on the network every so often due two 90 day password expirations, MIC expirations, etc. We have some phones which go out for deployment and fail and they go into ISE to fix them. There has to be a better way. I just don't know it.
Thanks.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide