Cisco Cisco Identity Services Engine 1.2 白皮書
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 7 of 27
MAC Authentication
Identification of an endpoint based solely on the MAC address is one of the most popular methods used to
authenticate medical devices. The term “MAC authentication” is a bit of a misnomer. No true authentication occurs.
Rather, a simple lookup from a local or centralized database of MAC addresses determines whether the address in
question is authorized to access the network. Cisco refers to this method as MAC Authentication Bypass, or MAB,
to highlight the fact that authentication is actually being bypassed.
authenticate medical devices. The term “MAC authentication” is a bit of a misnomer. No true authentication occurs.
Rather, a simple lookup from a local or centralized database of MAC addresses determines whether the address in
question is authorized to access the network. Cisco refers to this method as MAC Authentication Bypass, or MAB,
to highlight the fact that authentication is actually being bypassed.
The endpoint may have additional attributes associated with it, such as a group membership or classification that
can be used to assign access. As an example, all known X-ray, CT, and MRI devices may be assigned to an
identity group called Medical Imaging, while all known point-of-care devices may be assigned to an identity group
called Patient Monitoring. Different policies can be associated with devices in each class.
can be used to assign access. As an example, all known X-ray, CT, and MRI devices may be assigned to an
identity group called Medical Imaging, while all known point-of-care devices may be assigned to an identity group
called Patient Monitoring. Different policies can be associated with devices in each class.
The typical authentication flow for medical devices on a wired network is as follows:
1. Device connects to the network and the switch attempts 802.1X authentication.
2. 802.1X authentication fails due to lack of supplicant response to the switch’s 802.1X queries.
3. Switch falls back to alternative authentication using MAC authentication.
4. Switch sends the host MAC address to an authentication, authorization, and accounting (AAA) server
using the Calling-Station-ID, Username, and/or Password attributes in a RADIUS packet.
5. AAA server validates the MAC address in a local or external database and assigns a policy based on
group membership or other attributes.
The remainder of this guide focuses on the identification and classification of medical devices based on MAC
addresses.
addresses.
Classification of Healthcare-Specific Devices
In the absence of explicit identity credentials for network authentication, IT administrators must often resort to using
the MAC address as the primary method to detect and classify medical endpoints. Some healthcare providers
already have an external inventory of their medical devices. If these external databases support direct integration
with Cisco ISE, then lookups to authorized endpoints can be simplified. Cisco ISE has the ability to perform MAC
lookup to the following databases and identity stores:
the MAC address as the primary method to detect and classify medical endpoints. Some healthcare providers
already have an external inventory of their medical devices. If these external databases support direct integration
with Cisco ISE, then lookups to authorized endpoints can be simplified. Cisco ISE has the ability to perform MAC
lookup to the following databases and identity stores:
●
Cisco ISE internal endpoint database
●
Microsoft Active Directory (AD)
●
Lightweight Directory Access Protocol (LDAP)
●
Mobile device management (MDM)
●
RADIUS
If the data on authorized medical devices resides in a format not directly accessible to Cisco ISE, the information
may be imported to the internal endpoint database by the file, LDAP, or an API.
may be imported to the internal endpoint database by the file, LDAP, or an API.
Unfortunately, most healthcare providers lack a complete or updated database of their medical devices, including
individual MAC addresses. Fortunately, there is still a way to dynamically populate the endpoint database and
assign classifications and policies, namely, profiling.
individual MAC addresses. Fortunately, there is still a way to dynamically populate the endpoint database and
assign classifications and policies, namely, profiling.