cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1266
Views
0
Helpful
3
Replies

ISE VoIP MAB Harden?

tcebak
Level 1
Level 1

Good Day!

 

So, we have out ISE policy sets to use MAB for our VoIP phones. The issue presented to me is that a "rouge" computer can change it's MAC to the phone, disconnect the phone and plug in the rouge computer. Because that MAC is listed in my IP phones group it's allowing the workstation to connect (on the voice vlan).

 

I curious if any one has suggestions or maybe i'm looking at it the wrong way.

 

My thoughts so far, sometimes just writing stuff down asking questions help me solve and explore options.
1.) Even if i do voip 802.1x i would still have the fail over of using the MAC to authorize the phones. 
2.) Can you call out if this device is using MAB, and the MAC is listed in my IP-PHONE MAC table, that it has to still show up in cdp as a cisco phone

3.) Our authorization profile just has "Voice Doman Permission", This place is already stupid crazy with ACL's and change things too often to keep it clean and this would be a last resort to have a very restrictive ACL.
4.) If a devices  uses MAB does it still send all the radius attributes of the connecting device?

Thanks for the effort if you are reading this.

1 Accepted Solution

Accepted Solutions

Hi

 

ISE has a feature called Anomalous Endpoint Detection to detect if a device's attributes changes:

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html

 

hth
Andy

View solution in original post

3 Replies 3

tcebak
Level 1
Level 1

Here is the Switch Interface:

interface GigabitEthernet1/0/34
 description P12-44 some dude
 switchport access vlan 12
 switchport mode access
 switchport voice vlan 16
 authentication control-direction in
 authentication event fail action next-method
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast

Here is ISE Authorization Profile:

Access Type = ACCESS_ACCEPT
cisco-av-pair = device-traffic-class=voice

Hi

 

ISE has a feature called Anomalous Endpoint Detection to detect if a device's attributes changes:

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html

 

hth
Andy

Thank you for the info!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: