Preview Tool

Cisco Bug: CSCur48184 - ISE 1.2 ENH: profiling probes spoofing alert

Last Modified

Feb 27, 2020

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases


Description (partial)

We need to create alerts when an endpoint changes profile because different probes were received, and those probes match different profiling policy than the initial one.
For example:
Situation 1:
phone is profiled as Cisco-IP-Phone and PC is spoofing phone MAC address -> PC will send different probes and the endpoint profile for phone will change
Situation 2:
PC is profiled as Microsoft-Workstation and PC spoofs probes that will make the the PC endpoint be reprofiled as Cisco-IP-Phone

There is currently no way to monitor when an endpoint changes profile (which could be the case when spoofing happens)

Related Community Discussions

re-validating previously profiled ISE endpoints
Hello I was having a look at MAC spoofing with ISE I am using RADIUS/SNMP trap and query and DHCP probes. A Cisco 7911 phone correctly gets profiled as "Cisco-IP-Phone-7911". The endpoint in ISE shows all the correct cdp/lldp/dhcp details When I connect my windows laptop (spoofing the phones MAC), the laptop is authenticated as the phone. The endpoint is still profiled as "Cisco-IP-Phone-7911" - the endpoint shows the correct dhcp details for the laptop but retains the cdp/lldp details ...
Latest activity: Oct 21, 2016
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.