cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1606
Views
10
Helpful
6
Replies
Highlighted

Is there a way to prevent Mac Spoofing using ISE 2.2+ and or local switch policies?

I am currently doing MAB on my ports using ISE 2.2, and its been working great. Recently an issue was brought to me which I've been giving some thought, but can't come up with a solution to. Security had some pen-testers come in and spoof a mac address on the network, and then gain access to the network. They want this closed up, but I'm not convinced that this can be completely stopped. 

 

Have you guys had any success preventing this type of behavior using ISE, local policies, or a combination of products?

 

-Thanks

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Is there a way to prevent Mac Spoofing using ISE 2.2+ and or local switch policies?

 

@Jason Kunst  How can you get rid of MAB?   There are so many devices that don't support 802.1x?   Thanks for any tips. 

 

@Josh Harmacinski I believe you should determine all the devices that are using MAB (IP Phones, printers, cameras, etc.). Then write policies that allows successfully profiled devices and for all devices that aren't successfully profiled, send em to the null VLAN. 

 

Hope this helps.  

 

 

View solution in original post

6 REPLIES 6
VIP Advocate

Re: Is there a way to prevent Mac Spoofing using ISE 2.2+ and or local switch policies?

Josh, have you read up on the section related to anomalous client behavior detection? There is some baseline logic built in to ISE to help detect and stop this from happening. It is a feature that Cisco has been actively developing, we may see future enhancements. It might be enough to stop/satisfy your pen testers.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010101.html#concept_EAB7AB3B9BAE4A9E93A53A8282E20D88

Cisco Employee

Re: Is there a way to prevent Mac Spoofing using ISE 2.2+ and or local switch policies?

First recommendation. Get rid of MAB. This should only be used as a last resort. It sounds like all you do is MAB and that’s not secure at all

Re: Is there a way to prevent Mac Spoofing using ISE 2.2+ and or local switch policies?

They are running MAB and Dot1x on the ports. All the computers at this company connect through a phone. The phone uses MAB, and then the computers authenticate with Dot1x. This is how they already had some company implement it before I came in to do some work for them. This is just another issue they threw at me. 

Beginner

Re: Is there a way to prevent Mac Spoofing using ISE 2.2+ and or local switch policies?

 

@Jason Kunst  How can you get rid of MAB?   There are so many devices that don't support 802.1x?   Thanks for any tips. 

 

@Josh Harmacinski I believe you should determine all the devices that are using MAB (IP Phones, printers, cameras, etc.). Then write policies that allows successfully profiled devices and for all devices that aren't successfully profiled, send em to the null VLAN. 

 

Hope this helps.  

 

 

View solution in original post

Cisco Employee

Re: Is there a way to prevent Mac Spoofing using ISE 2.2+ and or local switch policies?

If it doesn’t support anything but MAB the you’re out of luck
ajc Frequent Contributor
Frequent Contributor

Re: Is there a way to prevent Mac Spoofing using ISE 2.2+ and or local switch policies?

What kind of phones do you have doing MAB?