Tuning and detect unauthorized device connect to network

Da ICS16 · ‎07-10-2024

Dear Community,

To prevent from Cyber Attack / advanced attack we are checking to enhance more security with ISE.

Hence, we would seek your support and advice how to tuning stronger defend and how to detect/blocked/dropped for untheorized devices ( external/ outside devices ) including BYOD, PC, Hub... try to connect to our internal network.

1. Incase NAD config with low-impacted mode ( multi-auth ) is there any Pro and Con?

2. ISE integrates with Active Directory. Using EAP-TLS for trusted machine certificate and MSCHAPV2 for user. Any recommend / suggestion on it?

3. Do we have good practice for MAB profiling beside OUI base?

4. Is it possible that ISE will send email to notify us while having any bad attempt?

5. Is there require other protocols?

6. For Window OS we understand with EAP-TLS and how about operating system "macOS" ? Is it properly working with EAP-TLS or not. If yes, why? If not, why?

Objective: ISE will detect /alarm when unauthorized to try connect/attempt/compromised than we can perform remediation on time or ISE auto reject/drop session during that time.

Thanks for your commend/supporting.

Arne Bier · ‎07-15-2024

1. Incase NAD config with low-impacted mode ( multi-auth ) is there any Pro and Con?

Multi-auth is advised, especially if you have desk phones, and docks/PCs connected to the phone. Yes, multi-domain will also allow 1 DATA and 1 VOICE MAC address, but multi-domain is too strict - I have seen cases where the phone MAC address can land in the DATA domain (even for a millisecond) and then it violates the multi-domain rule, and the interface is err-disabled (shut) - multi-auth is fine.

2. ISE integrates with Active Directory. Using EAP-TLS for trusted machine certificate and MSCHAPV2 for user. Any recommend / suggestion on it?

MSCHAPv2 for user auth will soon become harder to do because of Windows Credential Guard. Why are you doing user auth? Is that machine used by more than one user? And would you authorise different users with different VLAN/dACLs? The recommended solution these days is EAP-TEAP, with machine and user certificates (and not MSCHAPv2).

3. Do we have good practice for MAB profiling beside OUI base?

This is a big topic and everyone will have their own best practice. Using the vendor OUI string checks and/or MAC Address prefix is certainly simple and convenient. Always remember that MAB is not security. It's a BYPASS of proper (EAP) security. Therefore, whatever you do to profile your devices is not related to security - it's related to convenience and accuracy. You want profiling to be reliable and accurate, and not a pain for the operations team to onboard new (out of the box) devices. SNMP is a great example of this. To configure SNMP you need access to the device. But if ISE is blocking new devices because it relies on SNMP profiling, then you have a catch-22. You have to stage/prep the device prior to connecting to the network. Painful.

Try using DHCP, LLDP and CDP profiling as much as you can. Avoid SNMP unless you must use it to distinguish tricky devices (e.g. MAC OUI is "HP Inc" - oh boy ... that could be a PC, Server, Printer or anything. If the endpoints run SNMP then you might discover it's a Printer, and not a PC. DHCP is still the #1 profiling hint - but you must tell people to enable DHCP and stop being paranoid about it - some folks love static IPs. It drives me mad.

4. Is it possible that ISE will send email to notify us while having any bad attempt?

Not a good idea - you'll be spammed to death if things go wrong. I don't recall if there is an email Alarm for failed auth. Have a look.

5. Is there require other protocols?

What do you mean?

6. For Window OS we understand with EAP-TLS and how about operating system "macOS" ? Is it properly working with EAP-TLS or not. If yes, why? If not, why?

EAP-TLS works with MACOS. The problem with Apple is that they don't make it easy to configure their 802.1X supplicants. Without any software tools, you can connect using EAP-PEAP(MSCHAPv2) but you need additional software to configure an EAP-TLS profile into MACOS - e.g. Apple Configurator or an MDM (e..g Intune, Meraki, etc.)