Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1957
Views
5
Helpful
26
Replies

Is there any way to prevent new MAC to be added to internal endpoints

EHNET
Level 1
Level 1

‎03-02-2023 11:10 AM - edited ‎03-03-2023 10:43 AM

We are trying to using MAB and existing internal endpoints as a whitelist ( I know it is not secure enough) to prevent new mac to access network. So I want anything that is not in internal endpoint to be rejected at authentication phase.

Is there anyway to achieve this ? I tried to remove a mac from internal endpoint, but ISE will automatically add it back after it reconnected.

I also know that I can achieve same goal by using authorization and putting trusted MAC into an ID group then use this group as condition. But the problem is how to auto add new MAC into this ID group ? Is there anyway to set conditions, for example any new MAC learnt from a specific named NAD to be added into this group? This is a dynamic environment, manually adding MAC into group is not feasible.

What I want is using a trusted switch as an onboarding platform to learn new MAC and add these MAC to a trusted ID group, keep them in that group. Later, these MAC would connect to other switches, as they already included in that ID group, they can be authorized and access the network.

My interface config is as follows:

device-tracking attach-policy ISE_Track
ip access-group ACL-DEFAULT in
authentication control-direction in
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab

 

 

0 Helpful
26 Replies 26

balaji.bandi
Hall of Fame
Hall of Fame

‎03-02-2023 11:21 AM

you can add MAC entries in to ISE and create a profile, so only MAC address will be allowed, rest will be rejected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

EHNET
Level 1
Level 1
In response to balaji.bandi

‎03-02-2023 11:32 AM

sorry, can you please elaborate more ? Do you mean assign trusted mac into  an id group ?

0 Helpful

Arne Bier
VIP
VIP

‎03-02-2023 01:04 PM

It's clear by now that ISE will "collect" every MAC address of every endpoint from Switches/WLC/VPN that send their RADIUS requests to ISE. That's how ISE populates its Context Visibility Database. ISE has no idea which of these endpoints are important to you. That decision can be done "automatically" by profiling (assigning endpoints to certain profiles of interest, e.g. printers, Windows-10 PCs, etc.) or manually - the manual method involves either clicking around in ISE Context Visibility and setting the Endpoint Profiles or even the Endpoint Identity Group - but it's a very laborious process. You can also export the Endpoint database, and do this manipulation in a spreadhseet. Or, if you're clever enough, do it via REST API. Either way, there has to be some logic/reasoning applied that a machine can understand if you want this association to happen. Profiling is your best bet.

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee

‎03-02-2023 01:58 PM - edited ‎03-02-2023 01:58 PM

How about creating a new Profiling Condition?  Use the NAS IP Address for the condition

CharlieMoreton_0-1677793554509.png

 

And then add a new Profiling Policy

CharlieMoreton_1-1677794267334.png

Have fun with Randomized MAC Addresses

EHNET
Level 1
Level 1
In response to Charlie Moreton

‎03-02-2023 04:47 PM

Thanks for your suggestion. I guess the method here can assign MAC to an ID group when it is connected to that specific switch. But when the same MAC connects to another switch. That MAC wont be in that ID group any more.

What I want is using a trusted switch as an onboarding platform to learn new MAC and add these MAC to a trusted ID group, keep them in that group. Later, these MAC would connect to other switches, as they already included in that ID group, they can be authorized and access the network.

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee
In response to EHNET

‎03-03-2023 04:54 AM

Changing the rules as the game progresses?  Not fun for the players.  

Sounds like you need to set up the profiling from your 'onboarding' switch as described above, use the API to extract MAC addresses from the Endpoint Identity Group and feed into an ODBC database and use that DB as an External Identity Source.

Unless you have ISE 3.2, in which case you can use DataConnect to gather the information.

0 Helpful

EHNET
Level 1
Level 1
In response to Charlie Moreton

‎03-03-2023 09:44 AM

Thanks. Looks like using API to populate that whitelist is the way. We are on 3.1 now, I will see if that 3.2 feature meet our needs. One more question, will there be any performance issue, if I have more than 10k MAC in that ID group and authorization need to check against each time?  And from performance perspective,  any benefit using an external database store this list vs put them in an ID group using ISE ?

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee
In response to EHNET

‎03-03-2023 11:46 AM

It'll be about the same.  To use an internal EIG, you would use the API to write back to ISE, whereas the ODBC ID Provider will be the source of the Authentication.  Either way, you are reading from ISE via API, then either writing back to ISE or performing a simple lookup from ODBC.

sidshas03
Spotlight
Spotlight

‎03-03-2023 09:49 AM - edited ‎03-03-2023 09:53 AM

You have mentioned that removing a MAC address from the internal endpoint list does not prevent it from being added back automatically when the device reconnects. This is because the device tracking feature in Cisco IOS automatically adds and updates endpoint information, including MAC addresses, as new devices are discovered on the network.

To overcome this issue, you can create a custom Identity Group in ISE that includes all the MAC addresses of your internal endpoints, and then use this group as a condition in your authentication and authorization policies. You can configure ISE to automatically add new MAC addresses to this group when they are discovered on the network by using a dynamic ID group.



Once the dynamic ID group is created, you can use it as a condition in your authentication and authorization policies. For example, you can create an Authorization Policy that restricts network access to only devices that belong to the "InternalEndpoints" group.

By using a dynamic ID group, new MAC addresses learned from a specific named NAD will be automatically added to the group, and devices that are not part of the group will be denied network access.

Sorry, I may be late with your problem. By now you would have resolved it. I hope it helps others who need it in the future.

0 Helpful

EHNET
Level 1
Level 1
In response to sidshas03

‎03-03-2023 10:20 AM

Thanks for your reply. Your solution is similar to another reply that using profiling to put new MAC in a dynamic ID group. But we need to keep these MACs in this ID group once they are added. These MAC will connect to other NAD after they are onboarded in that specific switch.

siryonz
Level 1
Level 1
In response to EHNET

‎06-11-2024 12:54 AM

Hey bud, did you ever find a solution for this? Trying to do exactly what you are and no one understands me! In any case, thanks.

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎03-11-2023 08:16 PM

@EHNET If you really want a trusted switch as the means of host on-boarding, one option is to use a regular ISE guest portal or an ISE hotspot portal to associate the client MAC addresses statically to an endpoint group.

0 Helpful
Customers Also Viewed These Support Documents