ISE - how-to prevent mac spoofing

I've built an ISE lab (1.1.3.124) and have an authorization policy which permits access to profiled Cisco-Access-Points. For the purpose of the lab, these devices have full access.
Profiling is working correctly. I have a 1231 AP which is correctly profiled and placed in an endpoint group, Cisco-Access-Point.
From a Linux laptop, using macchanger, I can successfully spoof the mac of the AP and gain full access - for some reason ISE isn't profile checking the laptop and I'm not sure why. The laptop obtains an IP using DHCP. I have the following profile checks enabled: NetFlow, DHCP, RADIUS, DNS, SNMP.
When I check Live Authentications, apart from the session IDs, there is no difference when comparing the authz between the AP and the spoofed laptop.
I was hoping that ISE would recognise the spoofed attempt and let it fall through to the deny policy.
I'm happy to attach any screenshots if required.
Thanks.

This may or may not be already known, so I'm going to describe how I would expect ISE to work.
Authentications based on profiling The first time a device comes through ISE, it could get the wrong result you would expect the device to get. This is due to the fact that ISE has a bit of a challenge - to identify and authorize new users to its system before the probes can learn anything about these endpoints.
For example, DHCP and HTTP are fairly useless until after the port becomes authorized since no client traffic can flow before an authentication occurs. ISE might apply the catch-all CWA result allowing it on the network, but then the DHCP class identifier could say 'Cisco AP'.
ISE knows that any new profiled information could result in a different AuthZ policy, so it issues a CoA to inform the NAD to re-authenticate that particular session.
The same authentication occurs now, but ISE now already knows the device appears to act like a Cisco AP and hands back the WAP result this time instead of CWA.
Any future authentications that occur for this Cisco AP, we pass back the Cisco AP result since we know he was previously an AP. Our probes would still learn as much as they can about the 'new' authentication, but no data would change from our end since the probes learn redundant information for this legit Cisco AP.
So, what you're describing is you're performing MAB and swapping out the profiled Cisco AP with another device that is spoofing the MAC address. MAB literally stands for 'MAC Address Bypass', so when ISE is presented with the MAC address it checks its internal host store and finds out he does in fact know 'AA-BB-CC-DD-EE-FF'. The spoofed device was previously known to be a Cisco AP, so ISE will hand out the Cisco AP result allowing it on the network infrastructure VLAN with a special DACL if you're getting fancy.
Your point here is that the spoofed PC is allowed on the network, when in fact it isn't a Cisco AP. What should happen at this point is the probes start doing their magic. The only way a device becomes a 'Cisco-Access-Point' is if the CDP entry in the switch contains 'AIR' or the dhcp-class-identifier includes 'Cisco AP'. So what I would expect happen is if you have SNMP Query/Trap probes setup and working, as soon as the linux laptop plugs in with the spoofed MAC the switch would inform ISE that a link came up/up. ISE sends back an SNMP Query asking for more information, which the switch then provides. ISE would then realize that there's no CDP information there (unless your linux test box is utilizing CDP, then this is a mute point anyways) and update the session endpoint in its internal hosts either during or before the actual authentication occurs. If it's during, ISE would trigger a CoA, which would cause the endpoint to reauthenticate then fall into (probably) the Cisco-Devices group based of the OUI of the MAC.
The other way to become a Cisco-Access-Point by default is through the dhcp class identifier. So lets say your linux box authenticates, ISE passes back the AP result, and you're allowed on the network. Once you issue a DHCP Discover from your box, ISE should recieve it and learn that the DHCP class identifier has changed from what it expected ('Cisco AP') to something different and issue a CoA. The linux box will reauthenticate, and get passed back the generic CWA profile.
Ultimately the entire job relies on either the DHCP probe, SNMP Trap/Query Probes, and CoA...unless you've modified the profiling settings from the default. Since you mentioned deleting the MAC address from the internal hosts section forces ISE to send back CWA, i'm thinking that your switch config might be missing the CoA portion.
1. What probes do you have enabled. This by default requires DHCP, DHCP Span, or SNMP Query/Trap.
2. Can you see the successful CoA from the switch?
3. If you wait ~5 minutes after the linux box with the spoofed address authenticates and check the internal host, what does ISE know about that device? If my CoA theory is right I would expect after even a couple minutes we would recognize that the device isn't a Cisco WAP.

Similar Messages

  • How to prevent Mac Pro to select USB audio out instead of optical audio out?

    I have the following problem: Usually I use the optical audio output of my Mac Pro, but every time I reboot the system, Mac OS X changes the audio output to an usb audio device I've attached to use it with Boot Camp. Is it possible to prevent Mac OS X from changing the audio output automatically every time I start my system?

    I have no problems with the audio out (the jack on the back) on my Mac Pro, though I'm not using a high-end stereo and I'm in an office environment so I may not hear subtle noise. If you haven't tried a different cable, you might try that. If your stereo supports it, you can also try the optical output.
    As far as it not playing at all, make sure the Output setting in the Sound system preference is set to "line out" (or digital out if you're using the optical jack).

  • How to prevent Mac OS X's Finder not to show search results from other accounts?

    Hello.
    How do I have Mac OS X 10.8.3 not show searched file results, on Mac, from other accounts with a standard account? I noticed a standard account found files (test.txt in an admin account in a standard account) and can open them! :O
    Thank you in advance.

    Barney-15E wrote:
    If I'm reading your path correctly, it is because you created the folder at the root of your Home directory.
    As I stated above, all users can read your home directory, in order to see into the Sites and Public folders.
    Other users, including Admin users, cannot see into the default folders in the Home folder, except Sites and Public.
    When you create a folder at the root of your home folder, it inherits the permissions of the parent folder, which allows everyone to read that folder.
    If you create a folder at the root of your home, you have to set the permissions on it to prevent others from being able to read it.
    To do so, Get Info on the folder and unlock the padlock on the Sharing and Permissions section.
    Make sure you are the owner of the folder. Select your name from the list, or add it if it is not. Then, click on the gear button and if it is available, select "Make username the owner." If it is not available, you are already the owner. Also make sure you have Read & Write access. Then, select the staff group and delete it. Then, select everyone and set to No access. Then, select Apply to Enclosed from the gear menu.
    To avoid all of this, make your folders inside the default folders (Documents, Pictures, Music, etc.), or one you've already change the permissions on. The Sites and Public folders are visible to all.
    Interesting. I didn't want to use Apple's default folders. I want to make my own. I tried chmod -R 700 on my account and that seems to work. Is that enough? I don't see Staff anymore through Get Info.

  • How to prevent Mac DNS registration with W2K3 DNS

    I have a Mac with two ethernet cards. The Mac is bound to a W2K3 AD and presents LAN services via one card (LAN IP). The other card is connected to a non-routed separate network used for other purposes (Private IP).
    The Mac registers its forward lookup A record in the AD DNS twice, once with the wanted LAN IP address and once with the unwanted Private IP.
    The Private IP address is not reachable by clients so I don't want it to register. Because of the round robin nature of AD DNS, it serves out the wrong IP address to 50% of LAN clients, who then fail to connect.
    On Windows, it is possible in the GUI to specifically set a network card's properties not to register with the DNS. On the Mac this setting is absent in the GUI.
    I assume there is a setting I can throw from terminal to block dynamic DNS registration for a specific ethernet card, whilst retaining it for the one I want. But I cant find it.
    Can anybody point me in the correct direction please?

    I think you will have a better chance of seeing your problem solved if you post on the XServe or Server forums.

  • How to prevent iTunes for Windows from "Updating iTunes Library"? (Library is on a NAS and managed by iTunes for Mac. Now getting update wars between Mac and Windows versions of the player.

    How to prevent iTunes for Windows from "Updating iTunes Library"?
    My library is on a NAS and managed by iTunes on a Mac. I can connect from wife's Windows laptop using iTunes for Windows but every time I do, it Updates iTunes Library. Next time I log in from my Mac it Updates iTunes Library in return. It appears I'm experiencing "Update Wars" between the Mac and Windows versions of iTunes. I would like to allow my wife to stream iTunes songs to her new laptop but I don't want any updates from this source... prefer to manage the library from my Mac and not allow Windows to do any thing other than listen to existing playlists.
    Thanks for any help/suggestions.

    Connect the PC to the library on the NAS. Wait while "updated".
    Under Edit > Preferences > Advanced make sure the media folder is correctly pointed at the media folder on the NAS. If not correct, close iTunes, wait a few moments, then open iTunes again.
    Close iTunes on the PC. Do not open iTunes on the Mac.
    Copy the library files, iTunes Library.itl, iTunes Library Extras.itdb, iTunes Library Genius.itdb, sentinel and the folder Album Artwork into an empty iTunes folder on the PC, for example C:\iTunes.
    Click the icon to start iTunes and immediately press and hold down SHIFT. Keep holding until prompted to choose or create a library. Click choose and browse to the copied .itl file, e.g. C:\iTunes\iTunes Library.itl
    The library should now work properly on the PC, however check the setting for the media folder. If needs be correct, close iTunes and reopen.
    Open iTunes on the Mac. It will update again, but that should be last time.
    tt2

  • EAP MD5 with ISE 1.2 - How to Prevent Active Directory Account locks?

    Hi,
    Is there any how to prevent accounts to be locked in AD if someone do a password brute force attack in a account? ISE has some feature/Configuration to prevent this type of attack ?
    Thanks.

    So what you're saying is the retry values only come in to play if the RADIUS server is inaccessible, right?
    Windows laptops actually work just fine, because many of them are using machine authentication.  The main issue seems to be from iPhones, which are saving the username/password and then re-attempting too many times when the user changes password.
    One solution is to use LDAP instead of AD within ACS, but the downside is the password can be guessed thousands of time in a row and open to dictionary attacks.  We do enforce complex password policies so the liklihood of an account being compromised is slim, but, I'd rather eliminate the chance entirely.

  • I can't sent an email to a large group of people. The sending email surface on every time I turn on my computer MAC PRO. How can I delete it? Why it happens? How to prevent it to happen again? Thank you. Danielson

    I can't sent an email to a large group of people. The sending email surface on every time I turn on my computer MAC PRO. How can I delete it? Why it happens? How to prevent it to happen again? Thank you. Danielson (Danicolenira)

    What do yo mean by " The sending email surface on every time"?

  • ISE - How long ISE will hold the profiled devices?

    Hi,
    After ISE profiles a device, for how long it holds that information in the endpoint identity store? Is there a purge mechanism? The reason I ask is, what if a guest comes and connects to a network and never comes back again. Will ISE hold the profiled MAC address of the device for ever?          Is there a way to purge if the MAC is not seen on the network for x days? Or is there a manual purge?
    Any help is appreciated.
    Regards,
    Mohan 

    I have an enhancement request in TAC asking for this feature. I have an ISE deployment which wants users to be statically assigned which will overwhelm the db after some time. I will have to check my notes and will forward the bug id to you.
    Thanks,
    Sent from Cisco Technical Support iPad App

  • How to prevent itunes from connecting to my IOS devices over wifi

    I have a MBP retina that is set to sync  (over wifi) with the iOS devices for myself and my wife: 2 ipads, 1 ipad mini and 2 iphones.
    When I am launch iTunes in my other Mac - Macbook Air (mid 2010, 13inch, OS X 10.8.2), it will also start to connect the iOS devices - even though I am not using it to sync with my iOS devices.
    How to prevent iTunes in my MBA from connecting to all the iOS devices in my house?
    Thanks.

    I configured all my iOS devices to sync with my MBP Retina (over wifi) - but the problem is that when I am using my MBA, the devices will also automatically connect to the MBA Itunes over wifi when I launch iTunes in the MBA.
    Is there any way to prevent auto connection to the MBA?

  • How to prevent malicious reset password act

    I saw a way to reset mac's password on this webpage http://osxdaily.com/2010/08/10/forgot-mac-password-how-to-reset-mac-password/. I found it quite dangerous. People who have phycial access to my computer basically can reset my password and access my file easily with this instructions. I wonder if there is a way to prevent people from reseting my password.

    People who have phycial access to my computer basically can reset my password and access my file easily with this instructions.
    That is correct. Physical access is an extremely dangerous thing. Once someone has physical access, they can do just about anything.
    The only way to prevent this is to set a firmware password, as Barney mentioned, to use whole-disk encryption (such as FileVault 2 on recent versions of Mac OS X) and to make sure the user account password is a strong one.

  • How to PREVENT NFS shares showing on clients?

    Folks: Can someone clue me in as to how it is that our server's NFS shares are showing up automatically on Mac clients (under Network..) -- and how to prevent that from happening?
    For various reasons of idiosyncratic mix of machines, OSes etc, our server has SMB shares set up for Windows and Mac clients which work just fine, plus some NFS shares for linux and particularly for ancient SGI. We don't want Macs interacting with the server via NFS, yet those shares show up consistently on the clients, and confuse the heck out of users.
    How do set the Mac clients to not ever do anything NFS? (On the server I could limit NFS exports' to specific IP addresses, but that's a moving target and likely to cause more grief than help...).
    Thanks,
    Graham
    Many   Mac OS X (10.3.9)   Many

    Jeff: We absolutely do NOT want the Mac users to be using NFS at all for anything. If we get involved in that game then we have to manage assignment of UIDs and GIDs for Mac users, which then impacts on the UIDs and GIDs that they use within their own Mac file systems and things go downhill from there. As it stands, the Mac users apparently have some default UID/GID which happens not to correspond to a UID/GID with privileges beyond RO, hence they can see but can't edit (thank goodness) dirs and files that they think they should be able to. We haven't even investigated whether those default UID/GIDs are even consistent across Macs (which of course is a problem in its own right), or what. Anyhow, it's big hairball that's totally unnecessary and useless.
    It appears to me that some apparatus in the Mac is gratuitously detecting, mounting (or automounting) the NFS shares that can be detected on the network. If I could just turn that off, I think we'd be where we want to be. I guess turning off the entire NFS protocol for Macs might be a separate way to go.
    Must admit, I'm getting closer to doing this "right" -- limiting NFS access in the server exports to specific client IPs.. but that's going to be a mess also.
    Graham

  • How to remove MAC Defender Rogue Anti-Virus?

    How to remove MAC Defender Rogue Anti-Virus?

    Lois, there are other messages threads posted here with details on the removal of MACDefender and MACSecurity.  Search on them for a listing of relevant threads.
    Here’s a Macworld article on how to prevent after you have removed it:
    http://www.macworld.com/article/159595/2011/05/macdefender_trojan_horse.html
    To remove, launch Activity Monitor and look for MACDefender.  Quit it and any connected processes.  Using Spotlight, search for MACDefender and remove everything found.  Take the preventative steps in the article above.

  • How 2 prevent time from changing on leopard and vista?

    if i maintain successive boots into the same OS on my macbook, the time is shown correctly, whereas on booting into another OS changes the time. how to prevent this from happening?
    Neerav

    From what my brother says says about his set-up (he boots into 64 bit Vista periodically), apparently you can't. My understanding is that the two systems do a different version of time at boot, Vista uses a GMT setting in bios, and I think Mac use a local time in EFI. Anyway, the result is several hours difference between the two. I don't use Boot Camp, but I would think if you are on a network with Internet access, you should be able to have the clock reset automatically using System Prefs->Date and Time, and check the box at the top to automatically set the time from the Apple time server.
    Francine
    Francine
    Schwieder

  • How to prevent an error of [WIP work order ... is locked-]

    Hello experts
    Can someone tell me how to prevent an error which [The WIP work order associated with this transaction is currently locked and being updated by another user.  Please wait for a few seconds and try again.Transaction processor error].
    How can you prevent that error?
    P.S.
    Oracle support told me [When you make data of mtl_transaction_interface, give same transaction_header_id to all data. Then, you kick worker with appointed transaction_header_id. Or, you set up being uncompatible with workers].
    I cannot allow that making with same transaction_header_id and being uncompatible with worker on my system.

    Hi santosh,
    You can implement badi BBP_DOC_CHECK to check vendor email and issue error message.
    Kind regards,
    Yann

  • How to prevent PO changes in ME22N after Order acknowledgement?

    Hi everyone,
            Can anyone tell me how to prevent PO changes (ANY) in ME22N after Order acknowledgement?
            I would like to make it possible without release strategy process or authorizations.
            Do you know some User Exit or Customazing way?
    Regards.
    Jaime S.

    Dear Jaime S,
    You can do this by restricting in authorization SHDO and also by marking "changes not possible after release" in Release strategy procedure.
    And also you can navigate the menu to, SPRO------>IMG------>Material Management--->Purchasing(OLME)------->Purchase Order---->Define screen Layouts at Document Level---->And go to ME22n And Select the right parameter and in this you can make it display, optional or required entry for the fields.
    Regards,
    Manjunath B L

Maybe you are looking for