Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5327
Views
10
Helpful
6
Replies

Is there a way to prevent Mac Spoofing using ISE 2.2+ and or local switch policies?

Go to solution
Josh Harmacinski
Level 1
Level 1

‎10-15-2018 10:25 AM - edited ‎03-11-2019 01:50 AM

I am currently doing MAB on my ports using ISE 2.2, and its been working great. Recently an issue was brought to me which I've been giving some thought, but can't come up with a solution to. Security had some pen-testers come in and spoof a mac address on the network, and then gain access to the network. They want this closed up, but I'm not convinced that this can be completely stopped. 

 

Have you guys had any success preventing this type of behavior using ISE, local policies, or a combination of products?

 

-Thanks

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tim Glen
Cisco Employee
Cisco Employee
In response to Josh Harmacinski

‎10-18-2018 10:50 AM

 

@Jason Kunst  How can you get rid of MAB?   There are so many devices that don't support 802.1x?   Thanks for any tips. 

 

@Josh Harmacinski I believe you should determine all the devices that are using MAB (IP Phones, printers, cameras, etc.). Then write policies that allows successfully profiled devices and for all devices that aren't successfully profiled, send em to the null VLAN. 

 

Hope this helps.  

 

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-15-2018 04:48 PM - edited ‎10-15-2018 04:48 PM

Josh, have you read up on the section related to anomalous client behavior detection? There is some baseline logic built in to ISE to help detect and stop this from happening. It is a feature that Cisco has been actively developing, we may see future enhancements. It might be enough to stop/satisfy your pen testers.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010101.html#concept_EAB7AB3B9BAE4A9E93A53A8282E20D88

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-15-2018 05:02 PM

First recommendation. Get rid of MAB. This should only be used as a last resort. It sounds like all you do is MAB and that’s not secure at all

Go to solution
Josh Harmacinski
Level 1
Level 1
In response to Jason Kunst

‎10-16-2018 09:40 AM

They are running MAB and Dot1x on the ports. All the computers at this company connect through a phone. The phone uses MAB, and then the computers authenticate with Dot1x. This is how they already had some company implement it before I came in to do some work for them. This is just another issue they threw at me. 

0 Helpful

Go to solution
Tim Glen
Cisco Employee
Cisco Employee
In response to Josh Harmacinski

‎10-18-2018 10:50 AM

 

@Jason Kunst  How can you get rid of MAB?   There are so many devices that don't support 802.1x?   Thanks for any tips. 

 

@Josh Harmacinski I believe you should determine all the devices that are using MAB (IP Phones, printers, cameras, etc.). Then write policies that allows successfully profiled devices and for all devices that aren't successfully profiled, send em to the null VLAN. 

 

Hope this helps.  

 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Tim Glen

‎10-18-2018 10:57 AM

If it doesn’t support anything but MAB the you’re out of luck

Go to solution
ajc
Level 7
Level 7
In response to Josh Harmacinski

‎10-19-2018 01:37 PM

What kind of phones do you have doing MAB?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents