your authz policy looks like:

Hagen Winck · ‎10-11-2016

We are implementing CISCO ISE in a large distributed deployment for 100K endpoints of a service provider.

We profile MAB devices using device-sensor feature on the Cisco switches.

So ISE profiling service gets all the CDP, LLDP, DHCP information and is able to profile for example a connected IP-Phone correctly into Cisco-Device->Cisco-IP-Phone->Cisco-IP-Phone-7911 on the ISE.

Now in the authorization policy we check if the device is profiled as 'Cisco-IP-Phone-7911' and if it is a known MAC address. (We add the MAC manually to a 'ALLOWED_MAC' list)

Works like it should, but ... now the issue:

If we disconnect the phone and connect a Win PC and fake the MAC address to use the MAC of the phone, then the PC will always get authenticated AND authorized like the phone before.

The absence of all the profiling information (CDP, LLDP, DHCP) won't let the ISE change the identity group membership of this MAC.

Using the MAC-Address of the phone, the PC for sure will be a member of 'Cisco-Device' but should not be a member of 'Cisco-IP-Phone' and for sure not 'Cisco-IP-Phone-7911'.

The profiling information for these sub-groups are not available anymore.

Is this something the ISE is not capable to do? Is something missing in our configuration?

davy.timmermans · ‎10-11-2016

your authz policy looks like: Profiled_7911 & member of allowed_mac

It's normal behavior that the first time the authz rule is hit - but normally a coa should take place after a small time once ise receives new info from the sensors.

You don't see a coa action in the logging?

Cisco ISE 2.1 and MAC spoofing