08-08-2019 06:55 AM
Hi All
I setup ISE profiling for Cisco IP phones and it works as expected. I changed the certainty factor for Cisco-IP-Phone to a higher number to ensure that it would match on multiple criteria before allowing the IP phone.
From what I see, if I disconnect and reconnect the IP phone, ISE does not do a full profiling for the second attempt. Instead it checks the mac address and recognized that it is already profiled as a Cisco IP phone and allows it. This is a security issue because if I spoof the IP phone's mac address on a laptop for example, I will gain access to the network.
I verified this by setting up a laptop with the same mac address as the IP phone. The laptop was successfully authorized using the same authorization policy that the phone used.
Is this expected behavior or am I missing some configuration steps?
ISE 2.4 Patch 9
IOS 16.6.6
Thanks
Brian
Solved! Go to Solution.
08-09-2019 08:06 AM
08-09-2019 08:06 AM
08-09-2019 09:16 AM
08-13-2019 08:01 AM
I retested after enabling Enable Anomalous Behaviour Detection and Enable Anomalous Behaviour Enforcement along with the appropriate authorization policy. I set the laptop to use the mac address as the IP phone. It worked as expected to deny the laptop from accessing the network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide