A main concern shared by admins while deploying a network access control solution is the ability to detect and block rogue network devices when users attempt to connect them to wired access points.

If the access switches have ports configured to use 802.1x/MAB (access mode) and send authentication and authorization requests to ISE, there are two scenarios for rogue network device detection:

1) L3 device assigned to an IP address and capable of route and NAT traffic (routers). In this scenario, the device is treated as an endpoint and must be authenticated and authorized before forwarding any traffic. Whether the device supports 802.1x, Radius authentication takes place and authorization is completed (let’s assume that valid credentials are used and accepted), then ISE uses its sensors and probes to define a profile. In case 802.1x is not supported, then MAB takes place. Depending on the authorization policies, the device will never get access to the network (guest flow or MAC allow list) or will get authorized (open authentication) and then ISE defines a profile.

No matter what type of port control we have configured, profiling is a valuable resource for rogue network device detection. ISE can use several different data sources to enrich the profiles, including active probes (Netflow, DHCP, DNS, HTTP, Radius, Nmap, SNMP and AD), device sensors (CDP, LLDP, DHCP, HTTP, H.323, SIP and mDNS) and AnyConnect (ACIDex). The most relevant profiling attributes that help rogue network device detection are MAC OUI and CDP/LLDP attributes. Radius, SNMP and DHCP probes can be used to collect those attributes. If the authentication/authorization fails, the profile is not defined and the info that we can collect is the failure event log.

Once we have collected the appropriate profiling attributes, ISE will match profiling conditions associated to specific profiles, that might be built-in or customized. We can find built-in device profiles grouped into "Home Network Devices" and "Infrastructure Network Devices" and some examples of these profiles are:

• 2Wire
• Apple-Airport
• DLink
• EquipTrans
• Linksys
• Netgear
• NetSys
• TP-Link
• Z-Com
• Aerohive
• Arris
• Aruba
• Extreme
• F5
• Juniper
• Router
• Sonicwall
• 3Com
• Huawei
• Belkin
• Enterasys
• Nortel
• Trendnet
• ZTE

The generic "Router" profile is assigned to the device if ISE uses LLDP as a probe and the capability is defined as "Router" (code R).

Note that some of these profiles might also be associated to real endpoints, such as smartphones and tablets, so this could result in false positives.

Using the profiling service to support rogue network device detection can be helpful both to improve visibility and establish granular policy enforcement. We can create reports and authorization policies based on the profiles that are listed above. Depending on what the network admin wants to achieve, we can create a list of conditions including all the profiles that could match a rogue network device or we can use reverse logic and include only the authorized devices, so anything not included in the list will be rejected and reported.

2) L2 device not assigned to an IP address (switch, bridge, hub). In this scenario, ISE cannot authenticate the network device because it has no visibility over a device MAC address. It doesn’t see it as endpoint. ISE authenticates the endpoints connected to those devices.

It’s possible to prevent the situation where users share connectivity to a single access port with multiple devices by setting the port control host-mode (Multi-auth, Multi-domain, Multi-host and Single-host).

More info:

Multiple Authentication 

ISE Profiling design guide