Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Hagen Winck

Cisco ISE 2.1 and MAC spoofing

We are implementing CISCO ISE in a large distributed deployment for 100K endpoints of a service provider.


We profile MAB devices using device-sensor feature on the Cisco switches.

So ISE  profiling service gets all the CDP, LLDP, DHCP information and is able to profile for example a connected IP-Phone correctly into Cisco-Device->Cisco-IP-Phone->Cisco-IP-Phone-7911 on the ISE.


Now in the authorization policy we check if the device is profiled as 'Cisco-IP-Phone-7911' and if it is a known MAC address. (We add the MAC manually to a 'ALLOWED_MAC' list)

Works like it should, but ... now the issue:


If we disconnect the phone and connect a Win PC and fake the MAC address to use the MAC of the phone, then the PC will always get authenticated AND authorized like the phone before.

The absence of all the profiling information (CDP, LLDP, DHCP) won't let the ISE change the identity group membership of this MAC.

Using the MAC-Address of the phone, the PC for sure will be a member of 'Cisco-Device' but should not be a member of 'Cisco-IP-Phone' and for sure not 'Cisco-IP-Phone-7911'.

The profiling information for these sub-groups are not available anymore.


Is this something the ISE is not capable to do? Is something missing in our configuration?


your authz policy looks like: Profiled_7911 & member of allowed_mac 

It's normal behavior that the first time the authz rule is hit - but normally a coa should take place after a small time once ise receives new info from the sensors.

You don't see a coa action in the logging?

Content for Community-Ad