Re: Profile Transitions and the use of Exception Actions

jitendrac · ‎09-23-2024

How to avoid mac spoofing in MAB using Profiling Transitions and the use of Exception Actions

We have ISE 3.3 Patch 3 deployed for one of our customer. For wired printer we are using MAB. For authentication and authorization, we are using the profiling service of PSN. Below is the policy set created

Policy Set Name - IL-Wired-MAB
Condition – Default Wired_MAB
Authentication Policy - IL-MAB
Condition – Default Wired_MAB
if User Not Found – CONTINUE
if Process Fail – DROP)Use Internal Endpoints
(if Auth Fail – CONTINUE
Authorization Policy - Printer MAB
Condition – End Points Logical Profile EQUALS Printer
Authorization Profiles – IL_Printer (Printer Vlan)

We can see ISE PSN has successfully profiled some printer with Canon Device (CF=10) and some printer with Canon Printer (CF=40)

However, when we connect the laptop to the printer port, with a MAC address spoof. Laptop gets successfully authenticated and authorised with Canon Device profile. (OUI Match)

When we looked at the Canon Devie profile, it just matching the OUI of the MAC Address.

PSN is has following probes enabled

RADIUS
DHCP
HTTP
DNS
AD

We are not using device sensor as Cisco C1000 is not supporting Device Sensor Feature.

RADIUS is not of use as the Printer does not support 802.1x. DHCP is not of use as the printer has an IP address statically configured.

Is there any way I can stop MAC Address spoofing method to bypass ISE NAC solution.

I read about Profile Transitions and the use of Exception Actions to restrict

Where we can take action with new device profile learned on printer port.

But I'm not sure how to configure it. Can anyone suggest to me how to restrict unauthorised access to wired printer using Profile Transition and Exception

MHM Cisco World · ‎09-23-2024

This not relate to ISE I think

The port with single host allow only one Mac in data domain, here I think your SW use multi host and hence more than Mac allow in port.

MHM

Aref Alsouqi · ‎09-24-2024

I think you are referring to ISE Anomalous Behaviour Detection and Enforcement. However, based on what you described probably Anomalous Behaviour wouldn't help in this case because if the printers profile looks only at the OUI of the MAC address then it will be less likely a profile change would happen when the spoofed MAC address is connected.

Also, the fact the the printer and the spoofing laptop are connected in the same way to the network that will also make Anomalous Behaviour feature less effective. Finally, if the spoofing laptop is also statically assigned an IP, then Anomalous Behaviour feature won't be able to trigger any flag on this as both the printers and the spoofing laptop have same characteristics.

What I think you can do though would be to open up the printer endpoint attributes page in ISE, try to look at all the collected attributes, and then you can go and edit Canon profiling policy by adding some of those attributes that would be unique to the printers.

In that case when the spoofing laptop tries to impersonate the printer it won't be "in theory" able to match all the profile conditions, and accordingly it won't be profiled as a printer, although it does have the same MAC address as the printer.

ISE profiling policies work with the certainty levels, so if the profile has a single condition then there is no way to try to build up any increment to the certainty level. However, if the profile has three conditions, then you can configure it in a way to sum up the conditions values to the certainty level. For instance, you can configure the profile to have a certainty level of 30 and have three conditions, one will be the OUI with a value of 10, another something else (an attribute from the endpoint attributes page) with a value of 10, and the third with something else (an attribute from the endpoint attributes page) with a value of 10. In this case all three conditions must match before a device is profiles with that profile.

jitendrac · ‎09-24-2024

Hi Aref,

Thanks for your response. When i read ise-profiling-design-guide. I came to know the concept of Profile Transitions and Exception Actions.
It is mentioned as " it is possible that an endpoint will transition from an Unknown profile to a specific profile (for example, Apple-iPad). The transition may occur in one update, but often the transition occurs in steps as new profile data is acquired from the network (for example, from Unknown to Apple-Device, and then from Apple-Device to Apple-iDevice, and finally to Apple-iPad). Although not as common, it is also possible for “negative” profiling data to be received for an endpoint that results in a transition from a more-specific profile to a less-specific parent profile, or a completely different profile altogether. Regardless of the type of profile transition, a profile change may impact the Authorization Policy rule matched when the endpoint re-authenticates to the network "

Exception Actions
Exception Actions are the means by which ISE Profiling Services trigger a response to a profiling event or state change.
Now,

What I understood is that when the MAC address is already profiled as Canon- Device with just OUI filed (CF=10) by PSN and when spoofing laptops is connected. Profiling should change from Canon- Device to Windows 11 workstation because Windows workstation will generate a lot of packets related to RADIUS, DNS, and DHCP that PSN can capture to know that the profile has transitioned from Canon- Device to Windows 11 workstation. And now, when ISE observes a profile change, we can take action using Exception.

In exception Action we can apply different profile and for that profile we can set restricted access in authorization policy.

Is my understanding correct ?

Aref Alsouqi · ‎09-25-2024

You are welcome. It depends on the other profile config. For instance, if Windows workstation profile is configured with multiple conditions, but all of them rely on DHCP traffic then that profile won't be matching the traffic coming from the spoofing laptop because it is assigned an IP statically, so no DHCP traffic will be sent from that laptop. And because of this, there will be no profile or profiling state change from ISE point of view. Also, in a scenario where ISE would have two profiles and both of them would match, I think in that case the profile with the higher certainty level will take precedence. For instance, if Windows profile matches the traffic coming from the spoofing laptop, and that profile happens to have a certainty level higher than Canon profile then the spoofing laptop would be profiled as a Windows workstation. The change of behaviour that would be used by ISE Anomalous behaviour would apply on an endpoint that came to ISE as something, and then it now came as another thing. For instance, if the Canon printer was configured in DHCP and was profiled as a Canon printer, and then the spoofing laptop tried to impersonate it then yes that would be detected by ISE because in this case the MAC address would be the same, but the DHCP attributes and collected data from DHCP traffic would be totally different.

jitendrac · ‎09-25-2024

Hi Aref,
I think Cisco ISE Anomalous Behavior Detection should work.
I just watched this video and as per this Cisco ISE Anomalous Behavior Detection can detect MAC Spoof OR Profile Change
https://www.youtube.com/watch?v=OP1BGzTGWJw

Arne Bier · ‎09-24-2024

We need to remind ourselves that MAB is inherently non-secure. In other words, as its acronym MAB suggests, it's bypassing secure authentication. MAC spoofing is easy, as you've already discovered. But here are some tips:

Use DHCP instead of static IPs. Come one. Really, Static IPs are so 1980's and there is no benefit to using them (don't let people convince you that DHCP is problematic - people who say that are either lazy or don't understand how to setup DHCP) - static IPv4 makes more work and causes more issues down the road. Setting up a DHCP server (even on a Cisco router if you have to) is so simple. A bit of effort and some planning can help a lot. The benefit of DHCP is that printers (or devices in general) send a lot of valuable data in the Discovery packet. That is a great start for profiling. It's NOT security, but it's a profiling aid.

If you're stuck with static IPs then the next best thing for printers is enabling SNMP probing from ISE. But it must be SNMPv1/2 (not v3). This should be easily done, and it will give ISE sysObjectID, or sysDescr etc to make profiling more accurate. Yes of course the hacker can spoof an SNMP agent - see my initial point about MAB being "no security at all". Where there's a will, there's a way!

Finaly, if you want security, there is only one option. Put a cert on the printer and make it talk 802.1X EAP-TLS. Even my $50 Canon home printer from the supermarket supports this. Put a 5 year cert on there if you have to. The point being, that's going to be super hard to spoof an RSA cert with 2048 bit key length (at least).

Security doesn't come easy. Some hard work will be involved. My suggestion would be to start with DHCP and SNMP which will make profiling quite accurate and make spoofing harder.

jitendrac · ‎09-25-2024

Thanks, Arne, for your Response,

We will try to push the customer to use DHCP. Or at least allow PSN to do Active Probes like NMAP scan or SNMP Query.
However, I was wondering why I can't use ISE's Profile Transitions and Exception Actions feature to detect Spoof MAC.
If attacker spoof MAC of printer and connect on same printer port at that point Attacker Laptop/Machine will start generating some interstating traffic like DNS, HTTP. ISE PSN can now detect that same MAC address profile is now transition from canon-printer to windows workstation so let's take an action on this behaviour using User-Defined OR System Defined Exception Action where we can apply different Profile Policy OR Initiate COA to bounce the port. (As per document it is mentioned that Exception Actions are the means by which ISE Profiling Services trigger a response to a profiling event or state change.)
I am just trying to understand if this will work to detect Spoof MAC ?

MHM Cisco World · ‎09-25-2024

"" MAC Address spoofing""are you sure??

Did you check mac address in SW do you see one Mac or two connect to port

MHM

Arne Bier · ‎09-25-2024

@MHM Cisco World the question is not about two concurrent MAC addresses on the port, but rather, two different devices, each connected on-at-a-time, but also having the same MAC address - the bad actor takes the MAC address of a valid device to try to get access to the network.

@jitendrac ISE Anomaly detection does work as Hari's video shows, but it does rely on the clients using DHCP, because that is how ISE can tell a Windows OS from a Linux OS (for example) - it uses the DHCP client identifier data. It's not very clear what other mechanisms Anomaly Detection uses to do its job, but I have a customer who has thousands of anomalies, and when I investigate them, ISE says it was due to Windows 10 => Windows 10. Makes no sense.

I have seen another legitimate case of Polycom desk phones that boot up using a Microsoft IP stack (sends out DHCP with client-identifier = MSFT), initialise themselves and then few seconds later sends out another DHCP identifying itself as Polycom. In my opinion that is just bad implementation of that vendor product, but the reality is that ISE detected that as anomalous and would take action on that legitimate device, if I had enabled Enforcement. But I never enabled Enforcement because of false positives. Which basically renders this feature useless to me - sadly. I don't think Cisco has made enough fanfare about this feature and they have not explained it well enough, or given us enough parameters to tune. Hari's video makes it look so appealing and simple, but the reality is quite different.

MHM Cisco World · ‎09-26-2024

the bad actor takes the MAC address of a valid device to try to get access to the network. <<- this point I want to be sure about' is SW see one MAC or two

MHM

Arne Bier · ‎09-26-2024

The switch sees one MAC address because only one device is attached to the switch. If the bad actor uses a Windows OS, they can modify the MAC address to be whatever you want it to be. Usually, bad actors will use a Linux based OS which can do the same thing. The Ethernet frame that is sent out of the bad actor's network adapter will have a customised source MAC address. This is what is called MAC spoofing. And obviously the bad actor removes the genuine device from the network, and plugs their own modified device into the network, masquerading as the good devices. 1 MAC address.

MHM Cisco World · ‎09-26-2024

I need confirming from him'

He mention ISE see same Mac but never check SW.

It can simple issue with simple solution

MHM

jitendrac · ‎09-26-2024

Hi MHM Cisco World
I am referring to scenario as mentioned by Arne "bad actor removes the genuine device from the network, and plugs their own modified device into the network, masquerading as the good devices MAC"
Of course Switch has lots of Port Security feature to avoid/Stop MAC spoofing but i an referring bad actor removes the genuine device from the network, and plugs their own modified device into the network, masquerading as the good devices MAC

MHM Cisco World · ‎09-27-2024

Still search but some point I get want to share it here

Device sensor not available' so ISE use Mac in radius to get OUI that why both endpoints have same OUI (assuming laptop use same mac of printer).

MHM