cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2425
Views
5
Helpful
26
Replies

Is there any way to prevent new MAC to be added to internal endpoints

EHNET
Level 1
Level 1

We are trying to using MAB and existing internal endpoints as a whitelist ( I know it is not secure enough) to prevent new mac to access network. So I want anything that is not in internal endpoint to be rejected at authentication phase.

Is there anyway to achieve this ? I tried to remove a mac from internal endpoint, but ISE will automatically add it back after it reconnected.

I also know that I can achieve same goal by using authorization and putting trusted MAC into an ID group then use this group as condition. But the problem is how to auto add new MAC into this ID group ? Is there anyway to set conditions, for example any new MAC learnt from a specific named NAD to be added into this group? This is a dynamic environment, manually adding MAC into group is not feasible.

What I want is using a trusted switch as an onboarding platform to learn new MAC and add these MAC to a trusted ID group, keep them in that group. Later, these MAC would connect to other switches, as they already included in that ID group, they can be authorized and access the network.

My interface config is as follows:

device-tracking attach-policy ISE_Track
ip access-group ACL-DEFAULT in
authentication control-direction in
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab

 

 

26 Replies 26

Why not reject at authorization phase?  Accomplishes the same thing.  What exactly are you trying to do?  Just MAB only? Are  your "trusted" MAC addresses in an Endpoint ID Group? 

Endpoint Purge rules could satisfy what you are trying to accomplish.  

Thanks for the reply. We just want to use whitelisted MAC as NAC, that's it. And designate a trust device to add new mac to internal endpoint.

I know I can do this at authorization with trusted id group.  But how do I auto populate this group ? Besides manually importing ? 

Create Endpoint ID group.  Add MAC addresses to Endpoint ID Group.  Specify Endpoint ID group as a condition in the Authorization policy, passing the necessary attributes.  Set Default Authz policy to deny.

Use profiling if you don't want to manually add each MAC address to the group.  Also prevents some MAC spoofing attempts too.  Required Advantage Licensing.

Thanks a lot. I already know the first portion that you mentioned.

So I can using profiling to let a trusted NAD as a source to populate that ID group ?

No.  Profiling is endpoint condition specific.  So ISE will authenticate/authorize anything that looks like a printer, AP, thin client, or whatever.  No static MAC address lists needed.  

https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456

So looks like you cant use properties from network device such as location or name in the profiling process 

I mean you can use the NAD properties in the Authorization policies to give differentiated access.  What exactly are you trying to solve?  If a device is trusted (profiled, 802.1X, Static endpoint ID group, etc.) why does it matter what NAD the endpoint is connected to?

I updated my description in my post. I want to just use MAC as the only source to control access. Because there are tons device types in our network, using profiling adds too much overhead to operation. So I want to use mac whitelist here, but that list need to be auto populated

Auto populate?  What would be your source of truth?  What would determine whether or not a device should be trusted?  What is your concern with profiling "overhead"?  Profiling removes the need for you to manually manage Static Endpoint ID Groups.

That's what I am asking if this is doable in ISE. Something like putting a device in a device group, any new mac learned from the NAD in this group will be added into a trusted ID group.

But why? What makes this particular NAD trustworthy? What stops someone from plugging anything into this particular NAD? What about other NADs in your environment?

Because we could have control who can plug anything into this trust NAD.

Existing MAC will be imported into an ID group.

Any new MAC that is not in the ID group will be rejected.

Only new MAC that learnt from this NAD will be auto added into this ID group( This's what I am asking if this doable)

Then why deploy NAC at all if you can 100% guarantee that your NADs have trusted devices?  Or is it just this one NAD?  Also plugging into one specific NAD is enough of a criteria to quantify device trust?

What I want is using a trusted switch as an onboarding platform to learn new MAC and add these MAC to a trusted ID group, keep them in that group. Later, these MAC would connect to other switches, as they already included in that ID group, they can be authorized and access the network.