Already on version 2.2 with the latest patch. Also had anomalous detection and enforcement enabled but it doesn't work in the environment.

trying to figure out why the endpoint profile doesn't get updated when spoofed by another device.

ISE profiler shows merged endpoint attributes of the spoofed printer; i.e. OUI = RICOH and attributes of the spoofing workstation. i.e. dhcp class identifier = MSFT 5.0

the customer environment only supports endpoint profile change as the anomalous detection triggering condition.

i agree. but unfortunately its a specific POV clause that we need to fulfill and there's no 2 ways about it.

Are you using the built in RICOH-Device rule or did you build a custom printer profile?

Even with the built-in rules your specific test may not work. The default RICHO-Device rule has a minimum certainty factor of 10. The default Microsoft-Workstation rule even though it is a 2nd level rule has a minimum certainty factor of 10. In my experience it is a crap shoot what profile will get picked when there is a tie on minimum certainty factor. And it probably isn’t going to move off of a profile when there is a tie. The 2nd level Microsoft-Workstation should really be a 20 in my opinion. The first level workstation rule is a minimum certainty factor of 10 as well. So it may not even move to that rule which means it won’t move to Microsoft-Workstation.

For specific use cases, you can achieve reclassification and optional quarantine using Exception Actions.

Hi Team,

I have another ISE customer that is also Cisco voice customer. they have 12K phone in the network and currently going to enable dot1x on their infra. They plan to use MAB for all phone and thus will whitelist phone MAC in ISE. But they worry about MAC spoofing. Can our anomalous endpoint detection help in below case? They will enable device sensor on switches.

(1) user look at phone MAC and spoof into his laptop

(2) plug out IP phone and connect his laptop into the cable

Will anomalous endpoint detection help in above case?

Regards &

Have a nice day

Anomalous detection may help but I would focus on DACL control which can be tough with voice, but possible.

For the person you are really worried about that is smart enough to realize the customer is running a NAC solution and grab a phone and spoof its MAC, they probably are smart enough to not expose profiling data to ISE that would allow anomalous detection to kick in. Like I said previously MAC spoofing and profile data spoofing is a risk you accept and limit the exposure of the risk with DACLs/TrustSec.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

I agree with Paul. as i have my phones doing MAB, based on profile but have a DACL that limits the phones to the Call Manager servers and voice gateways.  since the phones are on a separate VLAN, it is a very clean way of limiting what devices on that subnet can do.

HTH

Vince

The only issue with the phone DACL is softphones on PCs. You can’t just limit to voice subnets/voice servers/voice gateways. You would need to open up voice ports (there are many) to the data subnets as well if you are using softphones.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

we have an objective to get 802.1x working with our phones but while we fight that nightmare, we chose to put VACLs to lock down the voice side.  we use voice vlans which to my understanding uses CDP/LLDP for the COA or vlan jump.  since a spoofed device does not respond to CDP/LLDP it ends up on the data vlan making our efforts pointless on VACLs.  any ideas there?

Phones have very specific DHCP Class ID values.  With Anomaly Behavior Detection, the DHCP Class ID will change if connect Windows PC with phone MAC.  Mac OS and Linux may not populate this attribute so will likely require Exception Actions today to detect the device change.