Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
0
Helpful
5
Replies

ATM Machine profiling

manasjai
Cisco Employee
Cisco Employee

‎11-29-2018 05:55 AM

All,

 

I am looking for ISE profiling attributes for ATMs for a banking customer. These devices are non-Dot1x capable and have a static IP address assigned. 

 

Has anyone done something similar before?

 

Regards,

Manasi Jain

2 people had this problem
0 Helpful
5 Replies 5

Arne Bier
VIP
VIP

‎11-30-2018 03:00 AM

It's one thing to rely on ISE to profile an IOT device (like a light bulb) and work with a "certainty factor" percentage accuracy.  But I would be worried if my bank used profiling to assign its ATMs to the correct VLAN or assign ACLs etc. 

What is the reason for using Radius here?  if they don't do 802.1X to gain network access then could you not do MAB auth instead?  That would mean putting all the ATM's MAC addresses into an Identity Group.  But MAB auth for an ATM sounds dodgy too.  I don't see what they use case is here.

0 Helpful

SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to Arne Bier

‎03-11-2024 03:40 PM

Hello,

I am looking for the same. Kindly advise 

0 Helpful

Pulkit Mittal
Level 1
Level 1
In response to SHABEEB KUNHIPOCKER

‎03-11-2024 04:14 PM - edited ‎03-11-2024 04:18 PM

Hi Shabeeb,

It's answered, follow the same approach.

Regards,

Pulkit

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to SHABEEB KUNHIPOCKER

‎03-11-2024 04:17 PM

As @Arne Bier inferred in his previous response, you are not likely to get much detail from Profiling of an ATM endpoint. From my experience, most ATMs are built on generic platforms (like old Windows OS), so they would not provide any unique attributes.

If you intend to pursue the Profiling route, you would need to determine what the network can glean from one of the ATM endpoints and build custom Profiling conditions/polices based on the ISE Profiling Design Guide.

0 Helpful

Pulkit Mittal
Level 1
Level 1

‎03-11-2024 04:12 PM - edited ‎03-11-2024 04:14 PM

Hi Manasi,

The best way to handle non dot1x devices is to create a custom identity group for all atm machines. These devices do not need to be connected to be added to the group, they can be imported. 

This solution has been explained in detail here from Timothy Abbott. I believe its applicable in this case for you.

If you find this useful, please mark it helpful and Accept the Solution.

0 Helpful
Customers Also Viewed These Support Documents