Cisco ISE MAC Addresss Database Clean Up

Imagine having 15.000+ MAC addresses in a Cisco ISE database. All these MAC addresses are used to gain access to wireless networks protected with WPA2-PSK and MAC-filtering. But how to make sure that they are all (still) valid?

Remove MAC Addresses After Change In Authentication

Finally, the time has come to implement 802.1x on the wireless network for a substantial amount of these devices. These devices are consist mainly of Windows machines or Thin Clients. Both of those are managed through either the Microsoft Active Directory or a Thin Client Management Suite. So, applying setting related to 802.1x are pretty straight forward to distribute. There are however some Windows / Thin client devices that will remain on the MAC-filtering wifi networks for numerous reasons.

After a few tests the migration of the new 802.1x devices has started, but is leaving us with a MAC Address database filled with addresses that can be removed, since they are no longer used…. But how to do that? Cisco ISE has a lot of features, and is capable of generating rich reports about almost everything. However it has no way of reporting on dot1x devices that might still remain in the MAC address database as well. That is where I had to become creative.

First I explored the Cisco ISE Monitoring API, but that only gives active connections. There’s no way of exploring past (successful) authentications/authorizations. I needed a way to get current and past successful dot1x authentications and compare the MAC addresses associated with those entries to the MAC address database, and remove those from that database.

Eventually, I found two paths to accomplish this; First through the reporting module. There you can export all RADIUS authentications to CSV. Filtering these results in Excel, or through Python scripting, you are able to extract the MAC Addresses that successfully authenticated with dot1x. Feed these MAC addresses to a script and remove them through the Cisco ISE ERS API. Or if you’ve got nothing else to do; do it by hand.

The other path is by following the syslog output and parsing that feed. The downside to this is that you have to have syslog file access or add an additional syslog server to Cisco ISE that you may access (e.g. your scripting machine). The syslog version makes a a bit more tricky, since the (syslog)log lines are very long and you have to combine the correct lines to get the full message. Parsing CSV is much easier, so I followed that path first.

Dormant/Obsolete MAC Addresses

Another issue with static MAC addresses (and even local accounts) is that they tend to remain indefinitely in the MAC database. Lang after devices have been decommissioned, the MAC address remains. Which leaves a security hole to be exploited.

By using the generated ‘RADIUS Authentications’ reports over a longer time (e.g. 90 days) you can do a cross reference with MAC addresses in the database and recent successful authentications of that MAC address.
There are some caveats though;

you need a session-timeout on the network (either statically defined on the network device) or by RADIUS return attribute, so that devices have to re-authenticate periodically. Otherwise you might not see a valid device in the logging and removed it by mistake.
RADIUS Reporting goes only 30 days back, so you have to combine several (scheduled) reports to achieve a longer time span. There used to be a custom time frame option, but seems to have disappeared in version 2.6

Posted on October 17, 2019 by Willem and filed under Programming, Security, Tips'n Tricks and tagged Cisco ISE Identity Services Engine Python Scripting MAC Addresses dot1x 802.1x.

Cisco ISE v2.6 and Google ChromeOS

While playing around with the new Cisco Identity Service Engine (ISE) v2.6 (patch2) I stumbled upon a security feature while testing Wireless 802.1x access with an Acer Chromebook (ChromeOS v75.0.3770.144). When connecting to the 802.1x enabled SSID the connection failed, while other devices (Windows 10, Apple iOS and MacOS) connected just fine.

The problem is the client EAP handshake and usually this relates to untrusted server certificates. This happens to me a lot since I use different RADIUS services for my testing SSID’s.
So after clearing the SSID settings (forget) on the Chromebook it should work, but it didn’t.

The logging showed that the EAP handshake failed because the client didn’t offer a suitable cipher to the ISE server.

Turns out that Cisco ISE v2.6 has SHA1 disabled by default, and you need to enable it in:

Administration -> System -> Settings -> Security Settings

With the setting ‘Allow SHA1 Ciphers’, and ‘Allow only TLS_RSA_WITH_AES_128_CBC_SHA’ the Chromebook was able to connect to the 802.1x enabled SSID using old/depricated ciphers.

Now I wonder why the Chromebook still uses SHA1 based ciphers for secure communications, since Google Chrome started to abandon SHA1 as one of the first browsers….

Even installing the ‘Powerwash for added security’ feature in ChromeOS didn’t enable or add stronger ciphers on the Chromebook.

Posted on July 31, 2019 by Willem and filed under Tips'n Tricks, Security and tagged Cisco ISE Chromebook ChromeOS SHA1 cipher v2.6 802.1x Identity Services Engine.

Install Cisco Identity Services Engine v2.4 From USB

The Cisco Identity Service Engine (ISE) is a NAC solution used for accessing the network. The version (while writing this post) is v2.4.

For a new implementation of Cisco ISE I had to re-image 2 SNS-3595 appliances with the latest software. This can be done in various ways;

Write the ISE iso to USB and boot / install from the USB flash-drive
Use the JAVA/HTML5 KVM option through the CICM interface
Hookup a USB DVD player with a dual-layer DVD containing the appropriate ISO file

The preferred option is the USB flash-drive, since it’s the fastest, but only if you are able to boot from USB….. After trying several USB flash drives with the tool recommended in the Cisco manual I gave up. No way that the Boot menu saw the USB flash drive. So after wasting several hours doing that I opted for the KVM install method.

Posted on February 4, 2019 by Willem and filed under Tips'n Tricks, Software, Annoying and tagged Cisco ISE Identity Services Engine Rufus Fedora LiveUSB Creator UEFI SNS-3595.

VPN and Resolving Issues on OS X

We have a lab which we can access by using a VPN (Cisco ASA and Cisco AnyConnect). This setup has a so-called split DNS configuration, which means that only resources in the lab are accessed through the VPN tunnel. Regular Internet traffic uses my local DSL connection.

At my house I (like most folks) rely on DHCP for providing me with IP address, gateway and DNS servers. My local subnet uses 192.168.10.1 for DNS and 192.168.10.254 is my default gateway. So my clients are in the same subnet as my DNS server (directly-connected).

All these things considered I should be able to browse the Internet while I have a VPN running. Well, that's where you're wrong.

Posted on September 18, 2016 by Willem and filed under Annoying, Apple, Operating Systems, Tips'n Tricks and tagged VPN Cisco AnyConnect routing DNS DHCP.

Use Cisco ISE for RADIUS Authentication with Juniper Junos Devices

While preparing for some Juniper exams, I wanted to test RADIUS authentication for Junos device access. This way of authenticating is helpful in larger networks. Instead of providing all the devices with several usernames and passwords you can use a centralized RADIUS server for authenticating on all those devices. If that RADIUS server uses the Active Directory as a user database you can login on your network devices using your regular username and password.

The RADIUS server of choice (at the moment of writing this) is Cisco Identity Service Engine (ISE). Overkill for this specific blog post, but fun to do.

Posted on January 22, 2014 by Willem and filed under Junos, Security, Tips'n Tricks and tagged Cisco ISE RADIUS Splunk.

Cisco ISE: Change of Authorization (CoA) not working

We had a wireless security implementation at a customer site which consisted of the following components:

The setup included a wireless lan for guest access by using the Cisco ISE guest portal functionality.

We started by configuring the WLC's and ISE environment and having done that everything worked as a charm. A couple of days later we we were not able to connect to the wireless network.
The error reported in the ISE Authentications overview was:

Dynamic Authorization Failed : 11213 No responds received from Network Access Device

Posted on April 2, 2013 by Willem and filed under Annoying, Security, Tips'n Tricks and tagged Cisco Prime ISE LAN wireless.

Cisco Secure ACS 5.x and Apple OSX Directory (LDAP)

For testing and development purposes I run a Cisco Secure ACS 5.x in a virtual machine at home. In this environment I also run an Apple Directory Service. I'll be using this setup to test several 802.1x and RADIUS authentication schemes.

To get things going I needed to connect to the ACS to my LDAP Directory. The Apple Directory Service is a bit different from the regular LDAP implementations. They seem to add the 'apple' reference in a lot of attribute values. Thankfully the ACS has a very versatile configuration interface.

Apple references in attribute valuesNormally, the group definition would be 'group' instead of 'apple-group'. So the configuration of the ACS should reflect these variations to the standard.

Posted on March 1, 2011 by Willem and filed under Apple, Security, Software, Tips'n Tricks and tagged ACS Cisco Directory Service LDAP.

Weird 802.1x EAP-TLS Behavior with Windows XP SP3

I'm currently busy with several 802.1x implementations in corporate networks, and in one of those environment I get the strangest behavior in regards to the authentication process.

In this particular case I use a Microsoft 2008 Active Directory. Mandatory for distributing the wired network adapter settings in regards to 802.1x. The clients are a mix of Windows XP (SP1 and SP3) clients and some newer and/or exotic operating systems. The authentication mechanism of choice is EAP-TLS with dynamic VLAN assignment. The RADIUS server used is the Cisco Secure ACS v5.x appliance.

During the authentication process of the XP SP3 PC's I saw that the first authentication attempt was made with the PEAP mechanism. Since PEAP isn't allowed, the authentication mechanism failed. About a minute and twenty seconds later the PC started another dot1x authentication sequence. This time using EAP-TLS, and the PC got access to the network.

Posted on January 29, 2011 by Willem and filed under Annoying, Operating Systems, Security and tagged 802.1x ACS Cisco Microsoft RADIUS XP dot1x service pack 3.

802.1x: Machine Access Restriction 'Vulnerability'

Today we ran into a feature of the Machine Authentication Restrictions (MAR) option in the Cisco Secure ACS Radius server. It seems that when you're using the ACS for 802.1x authentication, you have the option of demanding that the authenticating users can only be authenticated when the computer is already authenticated. This way, you make sure that no user can access the network without a legitimate PC.

Posted on January 20, 2011 by Willem and filed under Security, Software, Tips'n Tricks and tagged 802.1x ACS Cisco EAP-TLS MAR PEAP PKI RADIUS.

CiscoVPN Error 51 Annoyance

The CiscoVPN client (v4.9.01.0100) for Apple OSX throws an error every once in a while. Mainly when I just rebooted, or when I was forced to quit some hanging application (which also occurs on Macs). The error is:

Error 51: Unable to communicate with the VPN subsystem

Somehow, the VPN software looses contact with the network adapter (wired AND wireless). After this there are two things you can do;

Reboot
or restart the Cisco VPN Service manually.

The first is kinda obvious (it's almost a MS Windows strategy :)). The second one is done via the Terminal (Finder -> Applications -> Utilities -> Terminal). Just type the following command (followed by your password);

sudo /System/Library/StartupItems/CiscoVPN/CiscoVPN restart

The thing I don't understand is; Why hasn't Cisco incorporated this in the VPN client?

IF (Error 51 == TRUE)
DO CiscoVPN.restart

It seems that this 'bug' is present since the release of the Mac OSX version of the software.

Posted on May 20, 2008 by Willem and filed under Annoying, Apple, Security, Software, Tips'n Tricks and tagged Cisco Error 51 VPN.