cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2752
Views
0
Helpful
10
Replies

ISE port authenticated issue

HHeydarov
Level 1
Level 1

Hello friends.

I am curious about ISE issuse that related to port authenticated.

Let`s suppose the multi-domain authentication type is used at port side.

Once port authorized, I unplug PC and connect another PC doing mac and IP spoof(Same IP and mac as previous PC had)

In this situation, what does ISE do to prevent this. How does it put obstacles?

Otherwise does attacker PC get network access?

10 Replies 10

hslai
Cisco Employee
Cisco Employee

It's a Cisco IOS switch feature to detect an endpoint disconnected, to terminate the existing authentication session, and then to start a new session for a new connection.

On the ISE side, the same policy will apply if based on the MAC address solely. Please read ISE Profiling Design Guide for further info.

I am going to read the guide you presented.

But till that time, I wonder if PC seats behind the phone. Surely if PC connects directly to the switch, once ports goes down and goes up, re-authentication process is started. I meant switch does not aware what happens behind the phone. Or Let`s suppose multi-auth method is used and  and PC seats behind the hub which friend mentions below. Is it possible to spoof that PC?

Surendra
Cisco Employee
Cisco Employee
If you are talking about regular 802.1x and MAB without any advanced flows such as Guest/BYOD etc, it does not work that way. Port is authenticated and authorized till only the device is connected to the port. If you remove the device from the port, then any new device connected to the port will be authenticated/authorized by ISE. That said, it also depend on how you configure your policies on the ISE. Just spoofing mac address will not work.

Both of these answers are true if the device is plugged directly into the switch port, but if the device is unplugged and the switch doesn't know anything about that (phone not doing EAP proxy-logoff, hub, cheap switch, etc.) and the new device is spoofing the same exact MAC you probably would get on.  What triggers authentication on the switch side is the learning of a new MAC address in the MAC address table.  If something is preventing the MAC address from being removed when the device disconnects then there is no learn new MAC address to trigger authentication.

As we know, mac address aging time is default 300 sec. PC can be spoofed during this time means switch will not remove mac address from its table till the end of 5 minutes.

Proxy EAPoL-Logoff

If your switch or phone does not support CDP Enhancement for Second Port Disconnect, Proxy EAPoL-Logoff can provide a partial solution for 802.1X-authenticated data devices. Proxy EAPoL-Logoff enables the phone to transmit an EAPoL-Logoff message on behalf of the data device when the phone detects that an 802.1X device has unplugged from behind the phone. The phone substitutes the MAC address of the data device, so the proxy EAPoL-Logoff message is indistinguishable from an actual EAPoL-Logoff from the data device itself. The switch immediately clears the session as soon as it receives the Logoff message.

To support this feature, your phone must be capable of sending proxy EAPoL-Logoff messages. All Cisco IP phones and some third-party phones provide this functionality. No special functionality is required from the switch because the EAPoL-Logoff message is fully supported as per the IEEE standard.

Although effective for 802.1X-authenticated endpoints, Proxy EAPoL-Logoff does not work for MAB or WebAuth, because these authentication methods do not use EAP to authenticate. Another method, such as the inactivity timer, must be used to ensure that MAB sessions are appropriately cleared.

In other hand, some Cisco IP phones do not support this feature. Ex. 7912. I am still confused how can I achieve to avoid this problem.

If Cisco switches, see inactivity timer interval under Configure the Switch for Monitor Mode > Authentication Timer Settings.

Thank you for your assist.

I did it in the ISE.

 

authentication timer reauthenticate server

Now PEAP Session Timeout is 60 sec. Thank you a lot.


Now PEAP Session Timeout is 60 sec. Thank you a lot.

Re-authentications at every 60 seconds are considered too frequent usually. I would suggest you to review sizing advice from 

 

If the switch supporting it and if using Cisco AnyConnect NAM, endpoint MacSec can be another option.

I was in San Diego, unfortunately did not attend this session.

Very useful session indeed.

Thank you again for your help.