Re: ISE - how-to prevent mac spoofing

c.andrew · ‎04-27-2013

I've built an ISE lab (1.1.3.124) and have an authorization policy which permits access to profiled Cisco-Access-Points. For the purpose of the lab, these devices have full access.

Profiling is working correctly. I have a 1231 AP which is correctly profiled and placed in an endpoint group, Cisco-Access-Point.

From a Linux laptop, using macchanger, I can successfully spoof the mac of the AP and gain full access - for some reason ISE isn't profile checking the laptop and I'm not sure why. The laptop obtains an IP using DHCP. I have the following profile checks enabled: NetFlow, DHCP, RADIUS, DNS, SNMP.

When I check Live Authentications, apart from the session IDs, there is no difference when comparing the authz between the AP and the spoofed laptop.

I was hoping that ISE would recognise the spoofed attempt and let it fall through to the deny policy.

I'm happy to attach any screenshots if required.

Thanks.

George Stefanick · ‎04-27-2013

Try deleting the MAC address in ISE and then try your spoof again ..

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George Stefanick · ‎04-27-2013

Read the coa section

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_prof_pol.html

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

c.andrew · ‎04-27-2013

Thanks - I will check the link.

I have already tried deleting the MAC address from ISE. When I attach the Linux laptop with the spoofed address, it correctly sits at a lower CWA policy and is profiled as Linux Workstation.

The profiling part is working beautifully, but I can't figure out why ISE is allowing the spoof to take place.

George Stefanick · ‎04-27-2013

It sounds like to me coa isn't working. Check that link out and tell ,e what you think based on your config ..

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

c.andrew · ‎04-27-2013

Thanks for your help on this.

Have checked the config guide. My profiler configuration, CoA type was already set to port bounce. I've also tried reauth - same result.

If I delete the device (listed as Cisco-Access-Point) from ISE, while the spoofed Linux device is attached, a CoA is issued, a port-bounce (or reauth) occurs, then the device is profiled as Linux-Workstation and sits at a lower policy for CWA - all OK there.

The way I'm testing this is to have the AP profiled and authorized. Disconnect the cable from the AP and plug this into my spoofed MAC interface on a Linux laptop. ISE doesn't recognise it's a different device and returns the authz profile for Cisco-Access-Point identity group.

engtor111 · ‎05-09-2016

Hi,

have you solve your problem? We're about to buy ISE. In the lab with 1.4 version reprofiling didn't worked and we've managed to spoof a cisco phone's mac with a windows pc.

c.andrew · ‎05-09-2016

How long did you give ISE to re-profile the device? If you're about to order ISE, I suggest talking to your Cisco account manager (or Cisco Partner) and asking them for some technical resource from Cisco to iron out things like this before you commit.

engtor111 · ‎05-09-2016

I've waited around an hour. Nothing changed. I've also open the wireshark to see packets. There was no packet came from the ISE. Yes I've contacted to Account manager. Thanks,

Have you find a solution? :-)

c.andrew · ‎05-09-2016

Not really. If you check the thread - the problem was resolved by rebooting ISE. Not a great solution. Bear in mind, I was working with 1.2. If you order ISE now, you'll be on 2.0, so I'd like to thing issues like this will be resolved.

Your Cisco AM should be able to arrange a 2.0 demo license for you.

payala · ‎04-25-2017

I'm not sure if you stil want to check but version. 2.2 has spoofing capabilities to detect and enforce.

George Stefanick · ‎04-27-2013

Sounds like ise is not validating the probes after a device has been profiled ..

I would open a ticket on this one .. Or perhaps Monday when other folks hit the forums they might have some additional ideas ..

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

c.andrew · ‎04-27-2013

Well I've just observed a very odd result which is repeatable!!

If I remove the MAC from ISE. Then attach the Linux device, with it's spoofed address, it is correctly profiled and sits at a CWA policy. I then attach the cable to the Cisco AP, after a shortwhile, a CoA goes out and it is re-profied as a Cisco-Access-Point.

This is the behaviour I want to see, but in reverse.

mlezerkiewicz · ‎05-08-2013

Is Cisco working on this?

Sent from Cisco Technical Support iPad App

c.andrew · ‎05-09-2013

I'm running the 90 day trial of ISE, so I don't believe I can raise a TAC case on this - unless someone can let me know another way to raise this with Cisco? Thanks.