Guest

Preview Tool

Cisco Bug: CSCur48184 - ISE 1.2 ENH: profiling probes spoofing alert

Last Modified

Feb 27, 2020

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

1.2(1.198)

Description (partial)

Symptom:
We need to create alerts when an endpoint changes profile because different probes were received, and those probes match different profiling policy than the initial one.
For example:
Situation 1:
phone is profiled as Cisco-IP-Phone and PC is spoofing phone MAC address -> PC will send different probes and the endpoint profile for phone will change
Situation 2:
PC is profiled as Microsoft-Workstation and PC spoofs probes that will make the the PC endpoint be reprofiled as Cisco-IP-Phone

Conditions:
There is currently no way to monitor when an endpoint changes profile (which could be the case when spoofing happens)

Related Community Discussions

re-validating previously profiled ISE endpoints
Hello I was having a look at MAC spoofing with ISE 2.1.0.474 I am using RADIUS/SNMP trap and query and DHCP probes. A Cisco 7911 phone correctly gets profiled as "Cisco-IP-Phone-7911". The endpoint in ISE shows all the correct cdp/lldp/dhcp details When I connect my windows laptop (spoofing the phones MAC), the laptop is authenticated as the phone. The endpoint is still profiled as "Cisco-IP-Phone-7911" - the endpoint shows the correct dhcp details for the laptop but retains the cdp/lldp details ...
Latest activity: Oct 21, 2016
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.