cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3641
Views
20
Helpful
10
Replies
Highlighted
Beginner

MAB, MAC spoofing and Reprofiling,

I have taken over a solution which employs MAB for wired devices which are not configured for dot1x  e.g. some IP Phones.

The laptops are all dot1x compliant and they must be using dot1x to access the network.

The MAB devices are recognised as such and they are profiled correctly as IP Phones, using the standard Cisco ISE Profiling Policies which employ a "cdpcacheplatform" value. They are therefore authorised to access the network.

However I am able to take a MAC address off of one of the MAB devices, power it down, configure that MAC address on a non-dot1x laptop (an illegal device) and it gains access to the network. ISE reports that the device is still an IP Phone.

Surely if ISE can profile this device as a phone, using the Authorisation rule in the Policy Set, then when the port goes down and I plug a laptop into the port, ISE should detect that it is no longer a phone and re-profile it.

My understanding is that MAB relates to Authentication rather than Authorisation and it is the Authorisaiton that I would expect to reoccur.

I have read the Cisco papers however while they state that MAB does not prevent MAC spoofing, they do not state that profiling cannot be used to mitigate the risk.

 

Has anyone a clear view on the relation of MAB to profiling and CoA?

 

Thanks

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

bbriggs, did you ever find a

bbriggs, did you ever find a resolution for this?

View solution in original post

10 REPLIES 10
Highlighted
Rising star

I believe that re-profiling

I believe that re-profiling only occurs when ise gets some new information upon authentication, so you should probably check which profiling probes you are using and actually have configured in your network, as cdp won't give you anything new, and the radius probe just has mac address which is the same, so nothing new there.

Also, maybe try deleting the mac address from the ise endpoint identity store (after disconnecting the phone) and then connect the pc with the spoofed mac addr, does it get profiled as a windows and or workstation?

Highlighted
Beginner

There are quite a few probes

There are quite a few probes running and I had hoped that the SNMPTraps could alert ISE or ISE would probe using SNMPQuery.

I can delete endpoint from the identity store and the device profiles as a laptop and is then blocked.

However my concern is that an unauthorised device could be introduced on to the network without my knowledge.I therefore would not know to delete its entry in the identity store.

I need a way for ISE to automatically detect that the method it used to profile the IP Phone, in this case CDP, is no longer valid since CDP is no longer being received on the switch-port.

Currently the Identity Store entry is merely updated with the new DATA IP address and name.

The profile still stays that the device is an IP Phone.

 

Highlighted
Cisco Employee

bbriggs, did you ever find a

bbriggs, did you ever find a resolution for this?

View solution in original post

Highlighted
Beginner

Yes Cisco eventually

Yes Cisco eventually explained what was occurring. When a device gains access via MAB it is profiled. During the profiling a Certainty value is calculated. Let's say that a Certainty value for the IP Phone when profiled is 100.

Now let's assume that I spoof the MAC address of the IP Phone on my laptop.

I disconnect the IP Phone and plug in my laptop. It does not support dot1x (it would fail dot1x authentication) so it fails to MAB. (Assuming the auth order is dot1x then MAB).

My laptop is profiled and there will be various matches, however the Certainty value that it is a laptop is, for example, 80.

ISE does not update it's authentication "status" for that Endpoint.

ISE has an authentication\authorization Certainty value for that MAC address of 100 matching the profile of an IP Phone.

ISE does not, for want of a better expression, update its opinion.

Therefore my laptop is allowed on the network as an IP Phone.

Highlighted
Rising star

I agree with this, my

I agree with this, my observation is also that almost nothing will make ISE change it's opinion of what profile an endpoint detected as. However i heard at the PVT and looked in the release notes for ISE 2.2, and it looks like some new feature has been introduced that sounds like it does something like re-profiling on the fly.

Ability to Detect Anomalous Behavior of Endpoints

Cisco ISE protects your network from the illegitimate use of a MAC address by detecting the endpoints involved in MAC address spoofing and allows you to restrict the permission of the suspicious endpoints. The following options are available in the profiler configuration page:

  • Enable Anomalous Behavior Detection—Cisco ISE probes for data and checks for any contradictions to the existing data. If any contradictions are found, the AnomalousBehavior attribute is set to true and the corresponding endpoints are displayed in the Context Visibility page.
  • Enable Anomalous Behavior Enforcement—A CoA is issued if anomalous behavior is detected. The suspicious endpoints are reauthorized based on the authorization rules configured in the Profiler Configuration page.
Highlighted
Beginner

Thanks for that, we are

Thanks for that, we are considering that upgrade and any argument to get some momentum is always good.

Cheers

Highlighted

Re: I agree with this, my

Hello , i was wondering is Enable Anomalous Behavior Detection would also work on IP Spoofing. 

Here is the scenario the ISE Authorised and Authenticate based on 802.1x the Laptop. This laptop spoofs an ip address on the network. Would ISE be able to trigger using this option to reprofile the delinquent Laptop?

Thank you 

Highlighted
Beginner

Re: I agree with this, my

I am on 2.4 Patch 9 with the same issues.  I just enabled Enable Anomalous Behaviour Detection and Enable Anomalous Behaviour Enforcement.  I will test over the next 24 hours and see if this helps.  Otherwise it is a major security flaw.

Highlighted
Beginner

Re: I agree with this, my

Please update us about your findings after the upgrade to 2.4 since we are facing the same issue and we are running on 2.2

Highlighted
Beginner

Re: I agree with this, my

I retested after enabling Enable Anomalous Detection and enforcement

 

It worked as expected.  After connecting the ip phone it profiled it as a IP phone.  I then disconnected the IP phone and connected a laptop with the same mac address.  It allowed the laptop for a few secs based on the mac address.  Then after the laptop was profiled it detected it was a windows 10 device and blocked the mac address.

I then disconnected the laptop and reconnected back the ip phone.  However ISE seemed to have blocked the mac address permanently.  I deleted the mac address from the ISE database to fix this.

 

Thanks