Significance of domain in multi-auth MAB?

mikenu · ‎09-29-2017

Hello,

We're investigating using MAB for basic NAC in our network.

I have MAB with multi-auth configured and it is working. To get a VoIP phone put in the voice domain and assigned to the voice vlan I profile the devices on the RADIUS server and if it is a VoIP phone I send the 'device-traffic-class=voice' avpair, if the device is not categorized as a phone I don't send the attribute and the device is put in the data domain along with being put on the data access vlan. I found if I don't profile and just pass the 'device-traffic-class=voice' for all auths the phone gets put in the voice vlan and the non-phones get put on the data access vlan but all devices get assigned to the voice domain also.

So what is the impact/significance of having all my devices in the voice domain? If I can avoid the extra processing load of profiling and still get the devices assigned to their proper vlans why bother doing the profiling? Is there some benefit/reason that devices should be placed in the proper domain?

Mohammed al Baqari · ‎09-30-2017

Its basically for security reasons to protect voice endpoints from data endpoints. Let's take this example:

If you have an attacker who is running a software that emulates softphone + a software for vlan taging. Once you place everything is voice domain, the attacker will learn the voice vlan through cdp and can compermise the voice network by tagging his traffic with voice vlan.

Now with profiling, this attacker will be detected as workstation (depending on attributes) and will never access the voice vlan even with cdp driver as the switch places the endpoint in data domain and will give it access to data vlan only.

In summary profiling provides intellegence for more security. There is no point in placing ISE and bypassing it by putting everything in single domain.