Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1405
Views
0
Helpful
2
Replies

ISE Profiling MAC address - Elapsed time - MAC Spoofing

Go to solution
junk1
Cisco Employee
Cisco Employee

‎01-08-2018 05:58 AM

Hi

In Cisco ISE 1.4, when the ISE profiles an endpoint and if the endpoint is disconnected after a while, will ISE retain the endpoint's MAC address in profiled database until unless it detects a change in the profiling information from same MAC address?.

This is regarding a security breach happened in one of my ISE customer. When a laptop used a spoofed MAC address of a Cisco IP Phone, it got authorised as Cisco IP Phone. There was no DHCP helper address configured for data VLANs (only configured for voice VLANs), and we only use DHCP and RADIUS as probes for profiling.

Is it because ISE didn't detect a profile information change on the same MAC address, it used the historical profiling data and authorised the MAC address as Cisco IP Phone. It would be great if someone could confirm if this is correct or expected behaviour.

Thanks and Regards

V Vinodh.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to hslai

‎01-10-2018 02:34 PM

In addition to anomalous detection you should be educating your customer that any time you are using MAB authentication the spoofing of a profiled MAC address or the spoofing of the profiling criteria is always a risk.  Each profiled MAB class should have a DACL applied to limit access to the access required by that class.  If you spoof a phone.... congrats you got on the network but can only do phone functions.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-08-2018 09:49 AM

Ability to Detect Anomalous Behavior of Endpoints is added in ISE 2.1.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to hslai

‎01-10-2018 02:34 PM

In addition to anomalous detection you should be educating your customer that any time you are using MAB authentication the spoofing of a profiled MAC address or the spoofing of the profiling criteria is always a risk.  Each profiled MAB class should have a DACL applied to limit access to the access required by that class.  If you spoof a phone.... congrats you got on the network but can only do phone functions.

0 Helpful
Customers Also Viewed These Support Documents