Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


MAB, MAC spoofing and Reprofiling,

I have taken over a solution which employs MAB for wired devices which are not configured for dot1x  e.g. some IP Phones.

The laptops are all dot1x compliant and they must be using dot1x to access the network.

The MAB devices are recognised as such and they are profiled correctly as IP Phones, using the standard Cisco ISE Profiling Policies which employ a "cdpcacheplatform" value. They are therefore authorised to access the network.

However I am able to take a MAC address off of one of the MAB devices, power it down, configure that MAC address on a non-dot1x laptop (an illegal device) and it gains access to the network. ISE reports that the device is still an IP Phone.

Surely if ISE can profile this device as a phone, using the Authorisation rule in the Policy Set, then when the port goes down and I plug a laptop into the port, ISE should detect that it is no longer a phone and re-profile it.

My understanding is that MAB relates to Authentication rather than Authorisation and it is the Authorisaiton that I would expect to reoccur.

I have read the Cisco papers however while they state that MAB does not prevent MAC spoofing, they do not state that profiling cannot be used to mitigate the risk.


Has anyone a clear view on the relation of MAB to profiling and CoA?





Accepted Solutions

bbriggs, did you ever find a resolution for this?

View solution in original post

Rising star

I believe that re-profiling only occurs when ise gets some new information upon authentication, so you should probably check which profiling probes you are using and actually have configured in your network, as cdp won't give you anything new, and the radius probe just has mac address which is the same, so nothing new there.

Also, maybe try deleting the mac address from the ise endpoint identity store (after disconnecting the phone) and then connect the pc with the spoofed mac addr, does it get profiled as a windows and or workstation?

There are quite a few probes running and I had hoped that the SNMPTraps could alert ISE or ISE would probe using SNMPQuery.

I can delete endpoint from the identity store and the device profiles as a laptop and is then blocked.

However my concern is that an unauthorised device could be introduced on to the network without my knowledge.I therefore would not know to delete its entry in the identity store.

I need a way for ISE to automatically detect that the method it used to profile the IP Phone, in this case CDP, is no longer valid since CDP is no longer being received on the switch-port.

Currently the Identity Store entry is merely updated with the new DATA IP address and name.

The profile still stays that the device is an IP Phone.


bbriggs, did you ever find a resolution for this?

View solution in original post

Yes Cisco eventually explained what was occurring. When a device gains access via MAB it is profiled. During the profiling a Certainty value is calculated. Let's say that a Certainty value for the IP Phone when profiled is 100.

Now let's assume that I spoof the MAC address of the IP Phone on my laptop.

I disconnect the IP Phone and plug in my laptop. It does not support dot1x (it would fail dot1x authentication) so it fails to MAB. (Assuming the auth order is dot1x then MAB).

My laptop is profiled and there will be various matches, however the Certainty value that it is a laptop is, for example, 80.

ISE does not update it's authentication "status" for that Endpoint.

ISE has an authentication\authorization Certainty value for that MAC address of 100 matching the profile of an IP Phone.

ISE does not, for want of a better expression, update its opinion.

Therefore my laptop is allowed on the network as an IP Phone.

I agree with this, my observation is also that almost nothing will make ISE change it's opinion of what profile an endpoint detected as. However i heard at the PVT and looked in the release notes for ISE 2.2, and it looks like some new feature has been introduced that sounds like it does something like re-profiling on the fly.

Ability to Detect Anomalous Behavior of Endpoints

Cisco ISE protects your network from the illegitimate use of a MAC address by detecting the endpoints involved in MAC address spoofing and allows you to restrict the permission of the suspicious endpoints. The following options are available in the profiler configuration page:

  • Enable Anomalous Behavior Detection—Cisco ISE probes for data and checks for any contradictions to the existing data. If any contradictions are found, the AnomalousBehavior attribute is set to true and the corresponding endpoints are displayed in the Context Visibility page.
  • Enable Anomalous Behavior Enforcement—A CoA is issued if anomalous behavior is detected. The suspicious endpoints are reauthorized based on the authorization rules configured in the Profiler Configuration page.

Thanks for that, we are considering that upgrade and any argument to get some momentum is always good.


Hello , i was wondering is Enable Anomalous Behavior Detection would also work on IP Spoofing. 

Here is the scenario the ISE Authorised and Authenticate based on 802.1x the Laptop. This laptop spoofs an ip address on the network. Would ISE be able to trigger using this option to reprofile the delinquent Laptop?

Thank you 

I am on 2.4 Patch 9 with the same issues.  I just enabled Enable Anomalous Behaviour Detection and Enable Anomalous Behaviour Enforcement.  I will test over the next 24 hours and see if this helps.  Otherwise it is a major security flaw.

Please update us about your findings after the upgrade to 2.4 since we are facing the same issue and we are running on 2.2

I retested after enabling Enable Anomalous Detection and enforcement


It worked as expected.  After connecting the ip phone it profiled it as a IP phone.  I then disconnected the IP phone and connected a laptop with the same mac address.  It allowed the laptop for a few secs based on the mac address.  Then after the laptop was profiled it detected it was a windows 10 device and blocked the mac address.

I then disconnected the laptop and reconnected back the ip phone.  However ISE seemed to have blocked the mac address permanently.  I deleted the mac address from the ISE database to fix this.



Content for Community-Ad