MAC Authentication Bypass MAB with ISE
Вставка
- Опубліковано 3 жов 2024
- Cisco ISE TME Thomas Howard shows the many different scenarios to use MAB for authorizing endpoints to your network.
00:00 Intro & Agenda
00:30 Media Access Control (MAC) Addresses by the Byte
02:40 OUI & MAC Formatting
04:39 Network Authentication Options
05:45 Multi-Factor Authentication and IOT
06:14 RADIUS with 802.1X Flow
07:43 RADIUS with MAB Flow
09:15 RADIUS Packet Captures: Wired & Wireless MAB
12:00 ISE Segmentation Options with RADIUS
12:54 ISE MAB Authorization Solutions: Filtering, Profiling, Endpoint Groups, Custom Attributes, CMDBs
15:36 Frequently Used RADIUS Attributes Reference
16:26 ISE Secure Wired Access Deployment Guide for Cisco Catalyst Configuration
18:23 How To Integrate Meraki Networks with ISE
20:07 ISE Policy Set Authentication Default Behavior and Recommended Changes
23:00 ISE Policy Set Examples for MAB
23:34 Demo: ISE MAB Default Authentication Policy Behavior
Note: the MAB Authentication worked because ISE knew the MAC from previous failed auths!
27:03 - the MAB auth worked because the endpoint was known from the previous MAB failures
27:34 - MAB with If-user-not-found: Continue
28:24 ISE Local & Global Exceptions
29:11 MAC Filtering Authorization Rules using MAC_* Operators
30:04 Demo: Local and Global Exceptions
31:53 - ISE Endpoint Identity Groups
32:55 - Add/Remove Endpoints to Identity Groups
33:44 - Override Global Exception with Policy Set Local Exception
35:00 - Random MAC Address Filtering
35:53 - Matching with EQUALS vs MAC_EQUALS using :'s and -'s
37:59 - MAC OUI matching using MAC_STARTS operator
39:01 - MAC_* Operators in Authorization Rules
40:13 Demo: Static Endpoint Groups
41:06 - Endpoint Purging will remove endpoints from Endpoint Identity Groups!
42:39 - Profiling Raspberry Pis
44:58 ISE Endpoint Profiling & Demo
47:36 ISE Endpoint Custom Attributes & Demo
51:56 Configuration Management Database (CMDB) and Demo with iPSKs
56:50 Question: What is the best method to define a policy set? Spoiler: It depends!
Resources:
ISE Secure Wired Access Prescriptive Deployment Guide @ cs.co/ise-wired
How To Integrate Meraki Networks with ISE
RADIUS EAPTest Client (macOS only): www.ermitacode...
802.1X Simplification & Automation with IBNS 2.0: • 802.1X Simplification ...
