Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
2
Helpful
6
Replies

Ethernet ghosting Cisco ISE bypass

oumodom
Level 1
Level 1

‎12-24-2024 11:47 PM - edited ‎12-25-2024 12:01 AM

Dear Cisco ISE lover,

Currently, I have testing lab for the scenario of Ethernet ghost. 
That is the most concerns which we can leverage existing user for gather sensitive information, and command and control.

What the another concerns related, if attacker can spoof the MAC address of legitimate user as notice attack can take benefit from existing session, then they can connect network without posture scan (This attacker machine no any Cisco secure Client agent).

Note: We use EAP-TLS and EAP-FAST with Posture check compliant. 
Please share me the fix solution.
Thank you,

6 Replies 6

ccieexpert
VIP
VIP

‎12-25-2024 07:31 AM - edited ‎12-25-2024 07:33 AM

Hello

ISE / switch authenticated on a per port basis, so if port 1 has a user authenticated, only that mac address is allowed on port 1, and if another users spoof the mac address on port 2, they wont be allowed as only port1/mac1 is authorized. there is also features like anamolous behavior detection to detect if same mac address shows different attributes to block access.

also, if the user is using a different port, then they have to go through a full EAP/posture authentication even if they do mac spoofing..

https://community.cisco.com/t5/security-blogs/cisco-ise-and-anomalous-behavior-detection-how-it-works/ba-p/4700300

**Please rate as helpful if this was useful **

0 Helpful

oumodom
Level 1
Level 1
In response to ccieexpert

‎12-25-2024 06:45 PM

I think you can't catch my concerns well, 
Please refer to this link https://www.immunit.ch/blog/2022/10/26/ethernet-ghosting-nac-bypass/ 

0 Helpful

ccieexpert
VIP
VIP

‎12-26-2024 03:37 PM

you are right, most NAC solutions will allow this. But this means that needs a full physical compromise. If it is a user port, they will need access to the wall port . One thing that might help a bit is period authetnication and also periodic posture evaluation, just to verify the trusted machine is still there and active.  

 

0 Helpful

oumodom
Level 1
Level 1
In response to ccieexpert

‎12-26-2024 05:55 PM

Thank for your information, @ccieexpert 
What if we have insider threat bring HUB into cooperate network, it is the most concerns. 
How to prevent or detect this kind of attack. 

0 Helpful

oumodom
Level 1
Level 1

‎12-27-2024 03:24 AM

@ccieexpert  Do you have alternative solution to detect or resolve this bypass? 

0 Helpful

thomas
Cisco Employee
Cisco Employee
In response to oumodom

‎01-07-2025 11:49 AM

MACsec should solve the problem so the switch and endpoint have an encrypted session. https://cs.co/ise-berg#macsec

This is hardware capability of the network device and the endpoint (or software with Cisco AnyConnect, now Secure Client) and has nothing to do with ISE since it is simply the AAA server.

 

Customers Also Viewed These Support Documents