So this is a situation that happened today. My company deployed Cisco ISE a couple months back, and, despite a few problems, I'm really enjoying ISE. Now obviously a lot of trouble tickets that come in now a days are just adding a phone or printer MAC to the Identity Group or whitelisting a PC MAC temporarily so we can push new certifications to the PC.
Well this one customer in particular has been needing a new MAC added every other day, so this morning I decided to look at all dot1x failures on that building's switch and then go out there and fix them all at once. I look through the list of MACs, and I notice one MAC looked odd. A completely different OUI than any other device on our network. I check that failed authentication session in ISE, and notice that it labels the Endpoint Profile as Nortel. Thats odd, because we shouldn't have any Nortel devices. I search in ISE for the first 6 of that OUI and notice that we have 4 Nortel devices on our network. Our network currently has 3,000 dot1x sessions active, so 4 Nortel devices is really odd.
I also notice that 3 of the Nortel devices have authenticated with the PC dot1x policy, which means they are authenticating with certificates and not MACs. Better yet, theres one Nortel device in the building I work in, connected to the same switch as me! I tell my more senior network engineer, and now we're both interested. Its very unlikely these devices are rogue machines if they are authenticating with certificates, but still, we're both wondering what Nortel devices could be in use. We immediately go to question the sysadmin shop, but they have no clue. We figure out the switch port the device is connected too, and also the wall port number labeled on the path panel. We hunt all over the offices looking for the wall port, but there's no real rhyme or reason to how they were labeled and large desks cover most ports. Finally, the senior network engineer spies an interesting looking laptop. It just so happens that the laptop in question was mine. I, for some reason, was issued a Lenovo laptop, while the other thousands of ends users use mostly HPs. I tell him thats mine and its a Lenovo, not a Nortel, but he still insists I check my MAC....
Lo and behold, I was the rogue device. I can only assume that Lenovo must have bought Nortel NICs or something along those lines, which is why ISE displayed the device as Nortel. We all got a good laugh out of it, and I genuinely say I would have NEVER checked my own PC. https://imgur.com/a/4aKF7XR
TLDR. Found an odd MAC on my network, after searching all over for it, turns out it was my PC.
Edit: Rogue not rouge
No comments:
Post a Comment