Have a pen tester in and he was able to get on the network in 20 seconds by spoofing the mac address of a Cisco IP phone, which authenticates via MAB. I have conflict triggers on and enabled at the top of the MAB Service to deny spoof attempts, however this one did not catch. After working with TAC I received the following info on Conflicts:
1. Conflicts trigger if the fingerprint from the same source changes over time, resulting in two different device profiles. Example: device is originally profiled as a computer when it first shows up on the network, but after spoofing the MAC of a printer, the endpoint DB will be update as printer and the Conflict True flag is raised.
2. The fingerprinting from different sources resulting in two different device categories. Example: Profiled as a computer from DHCP fingerprinting, but profiled as a SmartDevice from HTTP fingerprinting.
With all of that being said, if a hacker comes on to your network and has never been seen before, and spoofs the address of a peripheral device (phone, printer, etc) from the getgo, it seems there is no way to stop them, based on how conflict triggers work. ClearPass has never fingerprinted the device previously, so when it presents itself to ClearPass with the MAC of the phone it MAC Auths like the phone does.
Am i missing something, or is this a gaping hole in a NAC in general? Taking suggestions for other ways to prevent this. Doing 802.1x on our phones and eliminate MAB is a plan of attack, but then the pen tester migrates to the printer in the next cube and you're back to the same problem.
Any advice anyone has would be most appreciated.