cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

626
Views
0
Helpful
3
Replies
Highlighted
Beginner

ISE VoIP MAB Harden?

Good Day!

 

So, we have out ISE policy sets to use MAB for our VoIP phones. The issue presented to me is that a "rouge" computer can change it's MAC to the phone, disconnect the phone and plug in the rouge computer. Because that MAC is listed in my IP phones group it's allowing the workstation to connect (on the voice vlan).

 

I curious if any one has suggestions or maybe i'm looking at it the wrong way.

 

My thoughts so far, sometimes just writing stuff down asking questions help me solve and explore options.
1.) Even if i do voip 802.1x i would still have the fail over of using the MAC to authorize the phones. 
2.) Can you call out if this device is using MAB, and the MAC is listed in my IP-PHONE MAC table, that it has to still show up in cdp as a cisco phone

3.) Our authorization profile just has "Voice Doman Permission", This place is already stupid crazy with ACL's and change things too often to keep it clean and this would be a last resort to have a very restrictive ACL.
4.) If a devices  uses MAB does it still send all the radius attributes of the connecting device?

Thanks for the effort if you are reading this.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Contributor

Re: ISE VoIP MAB Harden?

Hi

 

ISE has a feature called Anomalous Endpoint Detection to detect if a device's attributes changes:

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html

 

hth
Andy

View solution in original post

3 REPLIES 3
Highlighted
Beginner

Re: ISE VoIP MAB Harden?

Here is the Switch Interface:

interface GigabitEthernet1/0/34
 description P12-44 some dude
 switchport access vlan 12
 switchport mode access
 switchport voice vlan 16
 authentication control-direction in
 authentication event fail action next-method
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast

Here is ISE Authorization Profile:

Access Type = ACCESS_ACCEPT
cisco-av-pair = device-traffic-class=voice
Highlighted
Contributor

Re: ISE VoIP MAB Harden?

Hi

 

ISE has a feature called Anomalous Endpoint Detection to detect if a device's attributes changes:

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html

 

hth
Andy

View solution in original post

Highlighted
Beginner

Re: ISE VoIP MAB Harden?

Thank you for the info!