Posture ACL Remediation
Posture ACL Remediation
Problem Statement
The current posture redirect ACL applied during 802.1X authentication permits Kerberos (TCP/UDP 88), SMB (TCP 445), and LDAP (TCP 389) before posture assessment completes. This creates a credential harvesting window exploitable by evil twin attacks. PENTEST-POSTURE-ACL-001 classified this as CRITICAL.
Current ACL (Vulnerable)
The existing posture redirect ACL permits protocols that carry authentication material:
ip access-list extended ACL-POSTURE-REDIRECT
permit udp any any eq 67
permit udp any any eq 68
permit udp any any eq 53
permit tcp any any eq 53
permit tcp any any eq 80
permit tcp any any eq 443
permit tcp any any eq 8443
permit tcp any any eq 8905
permit tcp any any eq 88 ! Kerberos — VULNERABLE
permit udp any any eq 88 ! Kerberos — VULNERABLE
permit tcp any any eq 445 ! SMB — VULNERABLE
permit tcp any any eq 389 ! LDAP — VULNERABLE
permit udp any any eq 389 ! LDAP — VULNERABLE
deny ip any anyLines marked VULNERABLE permit credential-bearing protocols during the posture assessment window. An attacker with an evil twin AP can harvest NTLMv2 hashes, Kerberos tickets, and LDAP bind credentials from endpoints that have authenticated but not yet completed posture.
Proposed ACL (Zero-Trust)
Strip all credential-bearing protocols. Permit only what posture assessment requires:
ip access-list extended ACL-POSTURE-REDIRECT-v2
remark --- DHCP: endpoint IP assignment ---
permit udp any any eq 67
permit udp any any eq 68
remark --- DNS: name resolution for posture ---
permit udp any any eq 53
permit tcp any any eq 53
remark --- ISE Posture Agent (AnyConnect) ---
permit tcp any any eq 8905
remark --- ISE Portal (captive portal redirect) ---
permit tcp any any eq 8443
remark --- HTTP/HTTPS: portal redirect only ---
permit tcp any any eq 80
permit tcp any any eq 443
remark --- DENY ALL ELSE ---
deny ip any any logKey changes:
-
Removed Kerberos (88), SMB (445), LDAP (389)
-
Added
logkeyword on final deny for visibility -
Added remarks for audit trail
Attack Chain
The 6-step attack chain that this remediation prevents:
-
Broadcast — Evil twin AP broadcasts
CHLA_StaffSSID (Raspberry Pi 4, Kali Linux) -
Associate — Endpoint auto-connects; posture redirect ACL applied
-
Redirect — Endpoint begins posture compliance check against ISE
-
Harvest — Kerberos AS-REQ, SMB negotiation, LDAP binds transit through the permissive ACL to attacker-controlled infrastructure
-
Crack — NTLMv2 hashes cracked offline (hashcat rule-based attack)
-
Lateral Movement — Compromised credentials enable pivot into internal segments
With the zero-trust ACL, step 4 fails — Kerberos, SMB, and LDAP are denied before reaching the attacker.
Architecture Diagrams
The problem and solution are documented in D2 diagrams:
Remediation Steps
| Step | Action | Owner | Status |
|---|---|---|---|
1 |
Submit iTrack Change Request with zero-trust ACL |
Evan Rosado |
🟡 CR drafted |
2 |
Lab validation — test posture flow with restricted ACL |
Evan Rosado |
🟡 In progress (home lab) |
3 |
Production deployment — apply to wireless controllers |
Network Engineering |
❌ Pending CR approval |
4 |
Post-deployment monitoring — 72-hour watch period |
InfoSec |
❌ Not started |
5 |
Evil twin re-test — validate Kerberos/SMB/LDAP blocked |
Evan Rosado |
❌ Not started |
6 |
Documentation and close-out |
Evan Rosado |
❌ Not started |
Detection
Monitor for rogue devices using Raspberry Pi OUI prefixes:
# Query ISE for endpoints matching Raspberry Pi OUI
netapi ise endpoint list --filter "mac.startswith=B8:27:EB" --format table
netapi ise endpoint list --filter "mac.startswith=DC:A6:32" --format table
netapi ise endpoint list --filter "mac.startswith=E4:5F:01" --format tableAny Raspberry Pi MAC appearing on the CHLA_Staff SSID warrants immediate investigation.