Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3356
Views
0
Helpful
3
Replies

Devices Blacklisting/Whitelisting with the Cisco ISE

Go to solution
network_geek1979
Level 1
Level 1

‎06-11-2021 01:34 AM

Folks,

We have one requirement coming up on our NAC with Cisco ISE.

 

We did test something like ensuring only applicable devices are able to connect to the network.

e.g. with a Polycom phone we have done a match with vendor MAC OUI. However, what is someone tries to spoof a Polycom MAC address and gets access to the network?

 

How would I get the best recommendation for an issue like this?

 

 

Regards,N!!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-11-2021 05:32 PM

You are using the weakest form of identity to identify your phone by MAC address.

0) Actually authenticate your IP phones with 802.1X using certificates or username:password.  For most modern equipment, this is not a technology issue but a political issue: your telecom/phone people will probably never configure 802.1X because it is not a "priority" or whatever euphemistic language you want to justify not doing it. 

So let's pretend your phones will never be authenticated with 802.1X...

1) Lock down your ISE Authorization Profile to minimize your attack surface. If it is a phone, specify the voice VLAN and the IP(s) and port(s) of your Call Manager or whatever the device needs to communitcate with and nothing more. So if a spoofer spoofs, they are not given voice VLAN + permit ip any any.

2) Monitor post-admission behavior.  ISE does not care about endpoint network behavior after authorization so you will need another security application to monitor NetFlow traffic analytics like Cisco Secure Network Analytics (formerly known as StealthWatch) to know what is typical for a phone and what is not. Anomalies may be reported to ISE for immediate quarantine or denial.

3) Rely on more than just the MAC. Use ISE Profiling to dynamically determine the device type using a combination of network attributes (CDP, LLDP, DHCP, etc.). The more attributes used, the harder it is to spoof. Not impossible, but harder.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-11-2021 02:00 AM - edited ‎06-11-2021 02:01 AM 

However, what is someone tries to spoof a Polycom MAC address and gets access to the network?

This is always security risk any product not only with Cisco ISE. so you need to explore other option if any other activity detected in the network with this MAC Address ? (in your network if you have any IPS/ Stealthwatch can detect this and Block).  as you mentioned this is Only Phone (maximum gain of access for the Voice VLAN).

 

check below thread good discussions :

 

https://community.cisco.com/t5/network-access-control/ise-profiling-and-mac-address-spoofing-mitigation/td-p/3805432

https://community.cisco.com/t5/network-access-control/ise-how-to-prevent-mac-spoofing/td-p/2239157

https://densemode.com/2020/02/10/case-study-combating-mac-address-spoofing-in-access-networks/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-11-2021 05:32 PM

You are using the weakest form of identity to identify your phone by MAC address.

0) Actually authenticate your IP phones with 802.1X using certificates or username:password.  For most modern equipment, this is not a technology issue but a political issue: your telecom/phone people will probably never configure 802.1X because it is not a "priority" or whatever euphemistic language you want to justify not doing it. 

So let's pretend your phones will never be authenticated with 802.1X...

1) Lock down your ISE Authorization Profile to minimize your attack surface. If it is a phone, specify the voice VLAN and the IP(s) and port(s) of your Call Manager or whatever the device needs to communitcate with and nothing more. So if a spoofer spoofs, they are not given voice VLAN + permit ip any any.

2) Monitor post-admission behavior.  ISE does not care about endpoint network behavior after authorization so you will need another security application to monitor NetFlow traffic analytics like Cisco Secure Network Analytics (formerly known as StealthWatch) to know what is typical for a phone and what is not. Anomalies may be reported to ISE for immediate quarantine or denial.

3) Rely on more than just the MAC. Use ISE Profiling to dynamically determine the device type using a combination of network attributes (CDP, LLDP, DHCP, etc.). The more attributes used, the harder it is to spoof. Not impossible, but harder.

0 Helpful

Go to solution
mlbradenBPA
Level 1
Level 1
In response to thomas

‎07-06-2023 12:41 PM

So, question, what if you want to use 802.1x for authentication?

We have folks who are taking new phones out of boxes, putting them on the network every so often due two 90 day password expirations, MIC expirations, etc. We have some phones which go out for deployment and fail and they go into ISE to fix them. There has to be a better way. I just don't know it.

Thanks.

Mike

0 Helpful
Customers Also Viewed These Support Documents