Re: Rector account in Cisco ISE

Faresnani · ‎05-27-2024

Dear Community,

We are currently experiencing unusual activity involving an unknown account attempting to access our wireless network. Our wireless clients are authenticated through Cisco ISE against Active Directory

Cisco ISE Details:

Version: 2.4.0.357

Installed Patches: 9

Product Identifier (PID): ISE-VM-K9

Version Identifier (VID): V01

ADE-OS Version: 3.0.4.070

We have observed irregular behavior, specifically from an account using the username "rector." This username does not correspond to any existing account in our domain. Previously, there were successful connection attempts with this username, but recent attempts have resulted in authentication failures.

Additionally, within the Context Visibility > Users section, the username "rector" appears as both the first name and last name associated with a domain user account. that it's a known username, as shown in the attached screenshot.

appear in firstname and lastnameAuthentication FailedRadius Log of Authentication Failed

davidgfriedman · ‎05-27-2024

My first thought would be to ask your AD team if such an account existed, was this account closed by them, why it was closed, and to show them how many accounts you have with lookups having the first name, last name, and e-mail address of rector to find out if they are running a security exercise, an automation scripts, or if a way into AD has been hacked to create a multitude of usernames.

Faresnani · ‎05-27-2024

As per your suggestion, we already asked our Active Directory
administrator, who confirmed that there is no account associated with the
username 'rector'."

davidgfriedman · ‎05-27-2024

Username rector. Answer received? That leaves my second question: What did they say when you showed them your context Users section screenshot? The one where you see various usernames were auto-filled by AD as firstname rector and lastname rector? I would expect that to worry them it was either bad script or a "bad actor" (hacker). Did you show that and the detailed logs to your SOC with the location of wireless at a NetworkDeviceName that suggests to me someone is close or inside to your data center, trying to hack onto your wireless network. And they are not all over it, worried about a hacker trying to break in? I see so much to worry about in your screenshots, especially after AD confirmed no such account should exist, nor should it have ever existed. Although, googling shows there is a docker automation project named rector, but I wouldn't expect it to build systems over Wifi: https://github.com/PHPExpertsInc/docker-rector

Faresnani · ‎05-27-2024

thank you for your information, we will investigate these with our cybersecurity team, I was wondering if maybe it is bug or something as we have old version of cisco ISE

Arne Bier · ‎05-27-2024

This is certainly not a bug. ISE doesn't create its own authentication traffic. My advice would be to trace the endpoint - either by looking on the Wireless Controller or by looking at the Called-Station-ID in the ISE request to locate the wireless Access Point to which this endpoint is connecting. It's not hard to misconfigure a device, such as a phone or PC, to connect to an 802.1X SSID - by default, most operating systems will pop up a username/password dialog when confronted with and 802.1X SSID - that user could have just been guessing and using some random creds - now the device will try until it succeeds (or until the supplicant is disabled/reconfigured)