Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6892
Views
20
Helpful
10
Replies

MAB, MAC spoofing and Reprofiling,

Go to solution
bbriggs
Level 1
Level 1

‎08-07-2015 09:52 AM - edited ‎03-10-2019 10:58 PM

I have taken over a solution which employs MAB for wired devices which are not configured for dot1x  e.g. some IP Phones.

The laptops are all dot1x compliant and they must be using dot1x to access the network.

The MAB devices are recognised as such and they are profiled correctly as IP Phones, using the standard Cisco ISE Profiling Policies which employ a "cdpcacheplatform" value. They are therefore authorised to access the network.

However I am able to take a MAC address off of one of the MAB devices, power it down, configure that MAC address on a non-dot1x laptop (an illegal device) and it gains access to the network. ISE reports that the device is still an IP Phone.

Surely if ISE can profile this device as a phone, using the Authorisation rule in the Policy Set, then when the port goes down and I plug a laptop into the port, ISE should detect that it is no longer a phone and re-profile it.

My understanding is that MAB relates to Authentication rather than Authorisation and it is the Authorisaiton that I would expect to reoccur.

I have read the Cisco papers however while they state that MAB does not prevent MAC spoofing, they do not state that profiling cannot be used to mitigate the risk.

 

Has anyone a clear view on the relation of MAB to profiling and CoA?

 

Thanks

 

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ryfirth
Cisco Employee
Cisco Employee
In response to bbriggs

‎01-15-2017 10:32 AM

bbriggs, did you ever find a resolution for this?

View solution in original post

10 Replies 10

Go to solution
jan.nielsen
Level 7
Level 7

‎08-07-2015 02:32 PM

I believe that re-profiling only occurs when ise gets some new information upon authentication, so you should probably check which profiling probes you are using and actually have configured in your network, as cdp won't give you anything new, and the radius probe just has mac address which is the same, so nothing new there.

Also, maybe try deleting the mac address from the ise endpoint identity store (after disconnecting the phone) and then connect the pc with the spoofed mac addr, does it get profiled as a windows and or workstation?

0 Helpful

Go to solution
bbriggs
Level 1
Level 1
In response to jan.nielsen

‎08-10-2015 05:13 AM

There are quite a few probes running and I had hoped that the SNMPTraps could alert ISE or ISE would probe using SNMPQuery.

I can delete endpoint from the identity store and the device profiles as a laptop and is then blocked.

However my concern is that an unauthorised device could be introduced on to the network without my knowledge.I therefore would not know to delete its entry in the identity store.

I need a way for ISE to automatically detect that the method it used to profile the IP Phone, in this case CDP, is no longer valid since CDP is no longer being received on the switch-port.

Currently the Identity Store entry is merely updated with the new DATA IP address and name.

The profile still stays that the device is an IP Phone.

 

0 Helpful

Go to solution
ryfirth
Cisco Employee
Cisco Employee
In response to bbriggs

‎01-15-2017 10:32 AM

bbriggs, did you ever find a resolution for this?

Go to solution
bbriggs
Level 1
Level 1
In response to ryfirth

‎02-20-2017 11:17 AM

Yes Cisco eventually explained what was occurring. When a device gains access via MAB it is profiled. During the profiling a Certainty value is calculated. Let's say that a Certainty value for the IP Phone when profiled is 100.

Now let's assume that I spoof the MAC address of the IP Phone on my laptop.

I disconnect the IP Phone and plug in my laptop. It does not support dot1x (it would fail dot1x authentication) so it fails to MAB. (Assuming the auth order is dot1x then MAB).

My laptop is profiled and there will be various matches, however the Certainty value that it is a laptop is, for example, 80.

ISE does not update it's authentication "status" for that Endpoint.

ISE has an authentication\authorization Certainty value for that MAC address of 100 matching the profile of an IP Phone.

ISE does not, for want of a better expression, update its opinion.

Therefore my laptop is allowed on the network as an IP Phone.

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to bbriggs

‎02-20-2017 11:47 AM

I agree with this, my observation is also that almost nothing will make ISE change it's opinion of what profile an endpoint detected as. However i heard at the PVT and looked in the release notes for ISE 2.2, and it looks like some new feature has been introduced that sounds like it does something like re-profiling on the fly.

Ability to Detect Anomalous Behavior of Endpoints

Cisco ISE protects your network from the illegitimate use of a MAC address by detecting the endpoints involved in MAC address spoofing and allows you to restrict the permission of the suspicious endpoints. The following options are available in the profiler configuration page:

  • Enable Anomalous Behavior Detection—Cisco ISE probes for data and checks for any contradictions to the existing data. If any contradictions are found, the AnomalousBehavior attribute is set to true and the corresponding endpoints are displayed in the Context Visibility page.
  • Enable Anomalous Behavior Enforcement—A CoA is issued if anomalous behavior is detected. The suspicious endpoints are reauthorized based on the authorization rules configured in the Profiler Configuration page.

Go to solution
bbriggs
Level 1
Level 1
In response to jan.nielsen

‎02-20-2017 11:51 AM

Thanks for that, we are considering that upgrade and any argument to get some momentum is always good.

Cheers

0 Helpful

Go to solution
Eyounes@yahoo.com
Level 1
Level 1
In response to jan.nielsen

‎03-22-2019 07:10 AM

Hello , i was wondering is Enable Anomalous Behavior Detection would also work on IP Spoofing. 

Here is the scenario the ISE Authorised and Authenticate based on 802.1x the Laptop. This laptop spoofs an ip address on the network. Would ISE be able to trigger using this option to reprofile the delinquent Laptop?

Thank you 

0 Helpful

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to Eyounes@yahoo.com

‎08-08-2019 10:01 AM

I am on 2.4 Patch 9 with the same issues.  I just enabled Enable Anomalous Behaviour Detection and Enable Anomalous Behaviour Enforcement.  I will test over the next 24 hours and see if this helps.  Otherwise it is a major security flaw.

0 Helpful

Go to solution
iazzam001
Level 1
Level 1
In response to BrianPersaud

‎09-07-2019 12:40 PM

Please update us about your findings after the upgrade to 2.4 since we are facing the same issue and we are running on 2.2

0 Helpful

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to iazzam001

‎09-09-2019 05:37 AM

I retested after enabling Enable Anomalous Detection and enforcement

 

It worked as expected.  After connecting the ip phone it profiled it as a IP phone.  I then disconnected the IP phone and connected a laptop with the same mac address.  It allowed the laptop for a few secs based on the mac address.  Then after the laptop was profiled it detected it was a windows 10 device and blocked the mac address.

I then disconnected the laptop and reconnected back the ip phone.  However ISE seemed to have blocked the mac address permanently.  I deleted the mac address from the ISE database to fix this.

 

Thanks 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents