Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
608
Views
6
Helpful
10
Replies

Profiling based on MAC Address...

rezaalikhani
Level 4
Level 4

‎01-02-2024 11:56 PM - edited ‎01-02-2024 11:57 PM

Hi all;

Consider a scenario where I want to profile an unknown device with MAC Address parameter of the endpoint. In this regard, we have two options, as show below:

1000.png

As my testing experience, if I choose OUI, I must provide the exact name (not something like OUI STARTWITH AA:AA:AA) of the vendor that has registered the address with IEEE. Right?

Now, if I choose MACAddress, something with MACADDRESS STARTWITH AA:AA:AA is valid for matching policy?

Thanks

 

0 Helpful
10 Replies 10

ahollifield
VIP
VIP

‎01-03-2024 06:15 AM

Why use only MAC address?  Why not also use DHCP or Device Sensor?  MAC address / OUI only is really prone to MAC spoofing attacks and doesn't provide much security.

MHM Cisco World
VIP
VIP
In response to ahollifield

‎01-03-2024 06:49 AM

I think he facing host with not correct IP' and he decides to use mac profile.

@rezaalikhani am I correct?

His last post mention that the host show not correct IP' and he accpet solution that there is two vlan.

For me that can be if wrong IP is in different vlan not same one.

If it different vlan (subnet) then there are two vlan one before authz and other after authz.

And the ISE list authz host with IP from vlan before authz.

If both correct and wrong IP in same subnet then there is issue in dhcp profile attribute.

That what I think 

MHM

0 Helpful

rezaalikhani
Level 4
Level 4
In response to MHM Cisco World

‎01-03-2024 10:32 AM

Thanks for your reply;

As @hslai said, the NAD correctly submits the IP addresses of the second VLAN using RADIUS Accounting Interim Updates but as the NAD does not send it using RADIUS Authentication Request again, ISE does not show the new IP address in its authentication report...

MHM Cisco World
VIP
VIP
In response to rezaalikhani

‎01-03-2024 10:41 AM

Yes friend that case if we use radius attribute profile not dhcp profile.

Anyway I will make double check and update you.

Thanks alot 

MHM

rezaalikhani
Level 4
Level 4
In response to ahollifield

‎01-03-2024 10:25 AM

I can not use DHCP because the endpoint needs to be assigned static IP address and cannot use Device Sensor because the switch does not support this functionality...

Karsten Iwen
VIP
VIP

‎01-03-2024 06:21 AM

If you only want to match the vendor-ID, you don't need to use the Profiler. You can directly use a condition in your authorization policy:

KarstenIwen_0-1704291643938.png

 

rezaalikhani
Level 4
Level 4
In response to Karsten Iwen

‎01-03-2024 10:28 AM

Thanks for your reply;

Interesting but does not answer my questions...

 Thanks anyway

0 Helpful

rezaalikhani
Level 4
Level 4
In response to rezaalikhani

‎01-08-2024 09:13 AM

Any ideas?

Thanks

0 Helpful

MHM Cisco World
VIP
VIP
In response to rezaalikhani

‎01-08-2024 09:52 AM

I have idea 
you can use DHCP profile 
and add static IP to host using it clinet-id or MAC 
here when DHCP assign IP to host it send copy to ISE 
MHM

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎01-08-2024 07:34 PM

@rezaalikhani 

Your ideas are correct.

On OUI, take a look at the Cisco Provided Profiler conditions based on it. Screenshot 2024-01-08 at 19.31.45.png

On MAC Addresses, I used your condition with ISE 3.2 and it worked! ISE appears to normalize the MAC addresses to dot-separated and all cap.

Customers Also Viewed These Support Documents