10-15-2018 10:25 AM - edited 03-11-2019 01:50 AM
I am currently doing MAB on my ports using ISE 2.2, and its been working great. Recently an issue was brought to me which I've been giving some thought, but can't come up with a solution to. Security had some pen-testers come in and spoof a mac address on the network, and then gain access to the network. They want this closed up, but I'm not convinced that this can be completely stopped.
Have you guys had any success preventing this type of behavior using ISE, local policies, or a combination of products?
-Thanks
Solved! Go to Solution.
10-18-2018 10:50 AM
@Jason Kunst How can you get rid of MAB? There are so many devices that don't support 802.1x? Thanks for any tips.
@Josh Harmacinski I believe you should determine all the devices that are using MAB (IP Phones, printers, cameras, etc.). Then write policies that allows successfully profiled devices and for all devices that aren't successfully profiled, send em to the null VLAN.
Hope this helps.
10-15-2018 04:48 PM - edited 10-15-2018 04:48 PM
Josh, have you read up on the section related to anomalous client behavior detection? There is some baseline logic built in to ISE to help detect and stop this from happening. It is a feature that Cisco has been actively developing, we may see future enhancements. It might be enough to stop/satisfy your pen testers.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010101.html#concept_EAB7AB3B9BAE4A9E93A53A8282E20D88
10-15-2018 05:02 PM
10-16-2018 09:40 AM
They are running MAB and Dot1x on the ports. All the computers at this company connect through a phone. The phone uses MAB, and then the computers authenticate with Dot1x. This is how they already had some company implement it before I came in to do some work for them. This is just another issue they threw at me.
10-18-2018 10:50 AM
@Jason Kunst How can you get rid of MAB? There are so many devices that don't support 802.1x? Thanks for any tips.
@Josh Harmacinski I believe you should determine all the devices that are using MAB (IP Phones, printers, cameras, etc.). Then write policies that allows successfully profiled devices and for all devices that aren't successfully profiled, send em to the null VLAN.
Hope this helps.
10-18-2018 10:57 AM
10-19-2018 01:37 PM
What kind of phones do you have doing MAB?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide