cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

5048
Views
65
Helpful
19
Replies
wiong
Cisco Employee

ISE profiling and MAC address spoofing mitigation

I am googling around trying to confirm on ISE profiling and mitigation against MAC address spoofing but I have not find a confirmed answer.

 

When a device connects, get profiled and identified what it is, the ISE screen will show up the endpoint information including what is this endpoint (Cisco IP phone, Ricoh printer, etc). Even if the device is subsequently disconnected, I can still see it on the ISE screen although it shows that it is disconnected. If I now plug a device into the network and spoofed that endpoint MAC address, will ISE re-profile again or just let the device in since it has been profiled previously and still in the ISE DB with the MAC address intact?

 

I read somewhere in ISE document that when a device has been profiled (which may takes several seconds initially), ISE will cache the information so that subsequently, when the endpoint reconnects again, the network connectivity establishment is faster since it does not need to re-profile again? If this is the case, anyone can easily get into the network by just spoofing the MAC address.

 

 

19 REPLIES 19

Are you connected behind an unmanaged switch or hub so that the Cisco switch isn't detecting the link state change?  I assume that is what you are doing since any link state change would force a new authentication.  If you are doing this behind some device to keep the link state up, then one option to combat that is to use reauthentication.  If someone really wants to get in, they will.  They can spoof the MAC and intentionally not send any new profiling data or anything that could trigger profiling.  In that case, your only option to mitigate it is with reauthentication every so often.  The Department of Defense (Network STIG) requires a reauthentication timeout of every hour (60 minutes) for that reason.  Defense needs to be layered.  Always assume someone can break in if they want.  Your goal for security is to make it harder and harder by having multiple layers that need to be broken before anything of value can be obtained.  Increase the window of time that would be required for an attacker to get anything so you increase the odds of someone catching them.

You bring up a good point. So the good guy was connecting to SWITCH1 (managed) and the bad guy was connecting to SWITCH2 (managed) different port - direct connection. Which is even more alarming. ISE detected the new machine (simple linux machine with spoofed MAC and different hostname) and gave it same access as the connected good guy's machine.

 

With that said 2 tests were done. ONE printer (MAB) and one WIN10 (Dot1x). The printer - port did bounce as its directly connecting but spoofing machine (even with the different hostname) assumed same ISE auth/author profile of the previously connected printer -  and again without any Anomalous Behavior detected.

 

jk

Hi do you have the authorization policy enabled to block the devices when the behavior is detected?

There is nothing to block - it didn't even DETECT it. Right now - this is a serious flaw with ISE. Anyone can become a dot1x authenticated user with machine cert and AD validations with a simple 10 second MAC spoof? ISE didn't even see it on host change, no NMAP is re-initiated, no re-profile is initiated. Scary - why would we recommend ISE to anyone if this holds true? I'm hoping I'm wrong.

In your first scenario, "You bring up a good point. So the good guy was connecting to SWITCH1 (managed) and the bad guy was connecting to SWITCH2 (managed) different port - direct connection. Which is even more alarming. ISE detected the new machine (simple linux machine with spoofed MAC and different hostname) and gave it same access as the connected good guy's machine."

How is first guy connecting through dot1x or MAB . If it connecting using dot1x and then bad guy connecting to switch 2 may spoof MAC address but he will not get access as he does not have dot1x crendetials (Cert or user/password).

 

In second scenario "ONE printer (MAB) and one WIN10 (Dot1x). The printer - port did bounce as its directly connecting but spoofing machine (even with the different hostname) assumed same ISE auth/author profile of the previously connected printer - and again without any Anomalous Behavior detected."

 

It does work as long as both type of endpoints getting correctly profiled. Win10 at should have got profiled as at least as 'workstation' and printer should have profiled as 'printer' then only ISE can detect and enforce ABD.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html

 

Content for Community-Ad