topic Re: ISE Profiling MAC address - Elapsed time - MAC Spoofing in Network Access Control

ISE Profiling MAC address - Elapsed time - MAC Spoofing

junk1 — Mon, 08 Jan 2018 13:58:47 GMT

In Cisco ISE 1.4, when the ISE profiles an endpoint and if the endpoint is disconnected after a while, will ISE retain the endpoint's MAC address in profiled database until unless it detects a change in the profiling information from same MAC address?.

This is regarding a security breach happened in one of my ISE customer. When a laptop used a spoofed MAC address of a Cisco IP Phone, it got authorised as Cisco IP Phone. There was no DHCP helper address configured for data VLANs (only configured for voice VLANs), and we only use DHCP and RADIUS as probes for profiling.

Is it because ISE didn't detect a profile information change on the same MAC address, it used the historical profiling data and authorised the MAC address as Cisco IP Phone. It would be great if someone could confirm if this is correct or expected behaviour.

Thanks and Regards

V Vinodh.

Re: ISE Profiling MAC address - Elapsed time - MAC Spoofing

hslai — Mon, 08 Jan 2018 17:49:46 GMT

Ability to Detect Anomalous Behavior of Endpoints is added in ISE 2.1.

Re: ISE Profiling MAC address - Elapsed time - MAC Spoofing

paul — Wed, 10 Jan 2018 22:34:53 GMT

In addition to anomalous detection you should be educating your customer that any time you are using MAB authentication the spoofing of a profiled MAC address or the spoofing of the profiling criteria is always a risk. Each profiled MAB class should have a DACL applied to limit access to the access required by that class. If you spoof a phone.... congrats you got on the network but can only do phone functions.