Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1618
Views
10
Helpful
3
Replies

ISE device profiling and mac address spoofing test

Go to solution
BrianPersaud
Spotlight
Spotlight

‎08-08-2019 06:55 AM

Hi All

 

I setup ISE profiling for Cisco IP phones and it works as expected.  I changed the certainty factor for Cisco-IP-Phone to a higher number to ensure that it would match on multiple criteria before allowing the IP phone.  

 

From what I see, if I disconnect and reconnect the IP phone, ISE does not do a full profiling for the second attempt.  Instead it checks the mac address and recognized that it is already profiled as a Cisco IP phone and allows it. This is a security issue because if I spoof the IP phone's mac address on a laptop for example, I will gain access to the network.

I verified this by setting up a laptop with the same mac address as the IP phone.  The laptop was successfully authorized using the same authorization policy that the phone used.  

 

Is this expected behavior or am I missing some configuration steps?

ISE 2.4 Patch 9

IOS 16.6.6

 

Thanks

 

Brian

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-09-2019 08:06 AM

Something you may want to consider is configuring anomalous endpoint detection. Essentially this would aide in deterring such a scenario. A change in profile would trigger and you could quarantine via CoA. From doc:
Once detection is enabled, ISE monitors any new information received for existing endpoints and checks if these attributes have changed:
Endpoint Policy - A change in endpoint profile from Printer or IP phone to Workstation.
Just note that I am pretty sure you cannot tweak what attributes it monitors. Good luck & HTH!
See here for my detail: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html

View solution in original post

3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-09-2019 08:06 AM

Something you may want to consider is configuring anomalous endpoint detection. Essentially this would aide in deterring such a scenario. A change in profile would trigger and you could quarantine via CoA. From doc:
Once detection is enabled, ISE monitors any new information received for existing endpoints and checks if these attributes have changed:
Endpoint Policy - A change in endpoint profile from Printer or IP phone to Workstation.
Just note that I am pretty sure you cannot tweak what attributes it monitors. Good luck & HTH!
See here for my detail: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to Mike.Cifelli

‎08-09-2019 09:16 AM

Thanks I am in the process of testing to see how it works.
0 Helpful

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to BrianPersaud

‎08-13-2019 08:01 AM

I retested after enabling Enable Anomalous Behaviour Detection and Enable Anomalous Behaviour Enforcement along with the appropriate authorization policy.  I set the laptop to use the mac address as the IP phone.  It worked as expected to deny the laptop from accessing the network.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents