Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1917
Views
10
Helpful
3
Replies

ISE device profiling and mac address spoofing test

Go to solution
BrianPersaud
Spotlight
Spotlight

‎08-08-2019 06:55 AM

Hi All

 

I setup ISE profiling for Cisco IP phones and it works as expected.  I changed the certainty factor for Cisco-IP-Phone to a higher number to ensure that it would match on multiple criteria before allowing the IP phone.  

 

From what I see, if I disconnect and reconnect the IP phone, ISE does not do a full profiling for the second attempt.  Instead it checks the mac address and recognized that it is already profiled as a Cisco IP phone and allows it. This is a security issue because if I spoof the IP phone's mac address on a laptop for example, I will gain access to the network.

I verified this by setting up a laptop with the same mac address as the IP phone.  The laptop was successfully authorized using the same authorization policy that the phone used.  

 

Is this expected behavior or am I missing some configuration steps?

ISE 2.4 Patch 9

IOS 16.6.6

 

Thanks

 

Brian

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-09-2019 08:06 AM

Something you may want to consider is configuring anomalous endpoint detection. Essentially this would aide in deterring such a scenario. A change in profile would trigger and you could quarantine via CoA. From doc:
Once detection is enabled, ISE monitors any new information received for existing endpoints and checks if these attributes have changed:
Endpoint Policy - A change in endpoint profile from Printer or IP phone to Workstation.
Just note that I am pretty sure you cannot tweak what attributes it monitors. Good luck & HTH!
See here for my detail: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html

View solution in original post

3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-09-2019 08:06 AM

Something you may want to consider is configuring anomalous endpoint detection. Essentially this would aide in deterring such a scenario. A change in profile would trigger and you could quarantine via CoA. From doc:
Once detection is enabled, ISE monitors any new information received for existing endpoints and checks if these attributes have changed:
Endpoint Policy - A change in endpoint profile from Printer or IP phone to Workstation.
Just note that I am pretty sure you cannot tweak what attributes it monitors. Good luck & HTH!
See here for my detail: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to Mike.Cifelli

‎08-09-2019 09:16 AM

Thanks I am in the process of testing to see how it works.
0 Helpful

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to BrianPersaud

‎08-13-2019 08:01 AM

I retested after enabling Enable Anomalous Behaviour Detection and Enable Anomalous Behaviour Enforcement along with the appropriate authorization policy.  I set the laptop to use the mac address as the IP phone.  It worked as expected to deny the laptop from accessing the network.

Customers Also Viewed These Support Documents