https://community.cisco.com/t5/network-access-control/ise-device-profiling-and-mac-address-spoofing-test/m-p/3906064#M470661 Something you may want to consider is configuring anomalous endpoint detection. Essentially this would aide in deterring such a scenario. A change in profile would trigger and you could quarantine via CoA. From doc:<BR />Once detection is enabled, ISE monitors any new information received for existing endpoints and checks if these attributes have changed:<BR />Endpoint Policy - A change in endpoint profile from Printer or IP phone to Workstation.<BR />Just note that I am pretty sure you cannot tweak what attributes it monitors. Good luck &amp; HTH!<BR />See here for my detail: <A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html</A> Fri, 09 Aug 2019 15:06:30 GMT Mike.Cifelli 2019-08-09T15:06:30Z https://community.cisco.com/t5/network-access-control/ise-device-profiling-and-mac-address-spoofing-test/m-p/3905299#M470659 <P>Hi All</P><P>&nbsp;</P><P>I setup ISE profiling for Cisco IP phones and it works as expected.&nbsp; I changed the certainty factor for Cisco-IP-Phone to a higher number to ensure that it would match on multiple criteria before allowing the IP phone.&nbsp;&nbsp;</P><P>&nbsp;</P><P>From what I see, if I disconnect and reconnect the IP phone, ISE does not do a full profiling for the second attempt.&nbsp; Instead it checks the mac address and recognized that it is already profiled as a Cisco IP phone and allows it. This is a security issue because if I spoof the IP phone's mac address on a laptop for example, I will gain access to the network.</P><P>I verified this by setting up a laptop with the same mac address as the IP phone.&nbsp; The laptop was successfully authorized using the same authorization policy that the phone used.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Is this expected behavior or am I missing some configuration steps?</P><P>ISE 2.4 Patch 9</P><P>IOS 16.6.6</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>Brian</P> Thu, 08 Aug 2019 13:55:12 GMT https://community.cisco.com/t5/network-access-control/ise-device-profiling-and-mac-address-spoofing-test/m-p/3905299#M470659 BrianPersaud 2019-08-08T13:55:12Z https://community.cisco.com/t5/network-access-control/ise-device-profiling-and-mac-address-spoofing-test/m-p/3906064#M470661 Something you may want to consider is configuring anomalous endpoint detection. Essentially this would aide in deterring such a scenario. A change in profile would trigger and you could quarantine via CoA. From doc:<BR />Once detection is enabled, ISE monitors any new information received for existing endpoints and checks if these attributes have changed:<BR />Endpoint Policy - A change in endpoint profile from Printer or IP phone to Workstation.<BR />Just note that I am pretty sure you cannot tweak what attributes it monitors. Good luck &amp; HTH!<BR />See here for my detail: <A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html</A> Fri, 09 Aug 2019 15:06:30 GMT https://community.cisco.com/t5/network-access-control/ise-device-profiling-and-mac-address-spoofing-test/m-p/3906064#M470661 Mike.Cifelli 2019-08-09T15:06:30Z https://community.cisco.com/t5/network-access-control/ise-device-profiling-and-mac-address-spoofing-test/m-p/3906094#M470663 Thanks I am in the process of testing to see how it works.<BR /> Fri, 09 Aug 2019 16:16:59 GMT https://community.cisco.com/t5/network-access-control/ise-device-profiling-and-mac-address-spoofing-test/m-p/3906094#M470663 BrianPersaud 2019-08-09T16:16:59Z https://community.cisco.com/t5/network-access-control/ise-device-profiling-and-mac-address-spoofing-test/m-p/3907515#M470665 <P>I retested after enabling&nbsp;<SPAN><STRONG>Enable Anomalous Behaviour Detection</STRONG> and&nbsp;<STRONG>Enable Anomalous Behaviour Enforcement&nbsp;</STRONG>along with the appropriate authorization policy.&nbsp; I set the laptop to use the mac address as the IP phone.&nbsp; It worked as expected to deny the laptop from accessing the network.</SPAN></P> Tue, 13 Aug 2019 15:01:32 GMT https://community.cisco.com/t5/network-access-control/ise-device-profiling-and-mac-address-spoofing-test/m-p/3907515#M470665 BrianPersaud 2019-08-13T15:01:32Z