cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

421
Views
0
Helpful
10
Replies
Highlighted
Beginner

ISE port authenticated issue

Hello friends.

I am curious about ISE issuse that related to port authenticated.

Let`s suppose the multi-domain authentication type is used at port side.

Once port authorized, I unplug PC and connect another PC doing mac and IP spoof(Same IP and mac as previous PC had)

In this situation, what does ISE do to prevent this. How does it put obstacles?

Otherwise does attacker PC get network access?

Everyone's tags (4)
10 REPLIES 10
Highlighted
Cisco Employee

Re: ISE port authenticated issue

It's a Cisco IOS switch feature to detect an endpoint disconnected, to terminate the existing authentication session, and then to start a new session for a new connection.

On the ISE side, the same policy will apply if based on the MAC address solely. Please read ISE Profiling Design Guide for further info.

Highlighted
Beginner

Re: ISE port authenticated issue

I am going to read the guide you presented.

But till that time, I wonder if PC seats behind the phone. Surely if PC connects directly to the switch, once ports goes down and goes up, re-authentication process is started. I meant switch does not aware what happens behind the phone. Or Let`s suppose multi-auth method is used and  and PC seats behind the hub which friend mentions below. Is it possible to spoof that PC?

Highlighted
Cisco Employee

Re: ISE port authenticated issue

If you are talking about regular 802.1x and MAB without any advanced flows such as Guest/BYOD etc, it does not work that way. Port is authenticated and authorized till only the device is connected to the port. If you remove the device from the port, then any new device connected to the port will be authenticated/authorized by ISE. That said, it also depend on how you configure your policies on the ISE. Just spoofing mac address will not work.
Highlighted
VIP Advocate

Re: ISE port authenticated issue

Both of these answers are true if the device is plugged directly into the switch port, but if the device is unplugged and the switch doesn't know anything about that (phone not doing EAP proxy-logoff, hub, cheap switch, etc.) and the new device is spoofing the same exact MAC you probably would get on.  What triggers authentication on the switch side is the learning of a new MAC address in the MAC address table.  If something is preventing the MAC address from being removed when the device disconnects then there is no learn new MAC address to trigger authentication.

Highlighted
Beginner

Re: ISE port authenticated issue

As we know, mac address aging time is default 300 sec. PC can be spoofed during this time means switch will not remove mac address from its table till the end of 5 minutes.
Highlighted
Beginner

Re: ISE port authenticated issue

Proxy EAPoL-Logoff

If your switch or phone does not support CDP Enhancement for Second Port Disconnect, Proxy EAPoL-Logoff can provide a partial solution for 802.1X-authenticated data devices. Proxy EAPoL-Logoff enables the phone to transmit an EAPoL-Logoff message on behalf of the data device when the phone detects that an 802.1X device has unplugged from behind the phone. The phone substitutes the MAC address of the data device, so the proxy EAPoL-Logoff message is indistinguishable from an actual EAPoL-Logoff from the data device itself. The switch immediately clears the session as soon as it receives the Logoff message.

To support this feature, your phone must be capable of sending proxy EAPoL-Logoff messages. All Cisco IP phones and some third-party phones provide this functionality. No special functionality is required from the switch because the EAPoL-Logoff message is fully supported as per the IEEE standard.

Although effective for 802.1X-authenticated endpoints, Proxy EAPoL-Logoff does not work for MAB or WebAuth, because these authentication methods do not use EAP to authenticate. Another method, such as the inactivity timer, must be used to ensure that MAB sessions are appropriately cleared.

In other hand, some Cisco IP phones do not support this feature. Ex. 7912. I am still confused how can I achieve to avoid this problem.
Highlighted
Cisco Employee

Re: ISE port authenticated issue

If Cisco switches, see inactivity timer interval under Configure the Switch for Monitor Mode > Authentication Timer Settings.

Highlighted
Beginner

Re: ISE port authenticated issue

Thank you for your assist.

I did it in the ISE.

 

authentication timer reauthenticate server

Now PEAP Session Timeout is 60 sec. Thank you a lot.

Highlighted
Cisco Employee

Re: ISE port authenticated issue


Now PEAP Session Timeout is 60 sec. Thank you a lot.

Re-authentications at every 60 seconds are considered too frequent usually. I would suggest you to review sizing advice from 

 

If the switch supporting it and if using Cisco AnyConnect NAM, endpoint MacSec can be another option.

Highlighted
Beginner

Re: ISE port authenticated issue

I was in San Diego, unfortunately did not attend this session.

Very useful session indeed.

Thank you again for your help.