https://community.cisco.com/t5/network-access-control/cisco-ise-profiling/m-p/3865729#M24799 So you should not need Anyconnect as it is not required for anomalous detection. One thing I would be cautious of is if you enable anomalous detection it is an all or nothing thing. Meaning you cannot tweak what it will use. I have asked if it has been road mapped, but have yet to hear. By default it will use the following to determine changes: Endpoint Policy DHCP Class ID NAS-Port-Type<BR />Also, ISE will re-categorize devices if you deploy profiles with higher MCFs and devices hit and match on those instead of a Cisco out of the box defined profile.<BR />Check this out: <A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html</A><BR />HTH!<BR /> Fri, 31 May 2019 12:39:23 GMT Mike.Cifelli 2019-05-31T12:39:23Z https://community.cisco.com/t5/network-access-control/cisco-ise-profiling/m-p/3865678#M24798 <P>Hi ,&nbsp;</P><P>I am trying to understand&nbsp; how ISE will actively does the flowing.</P><P>Ability to Detect Anomalous Behavior of Endpoints<BR />Cisco ISE protects your network from the illegitimate use of a MAC address by detecting the endpoints involved in MAC address spoofing and allows you to restrict the permission of the suspicious endpoints. The following options are available in the profiler configuration page:</P><P>Enable Anomalous Behavior Detection—Cisco ISE probes for data and checks for any contradictions to the existing data. If any contradictions are found, the&nbsp;AnomalousBehavior&nbsp;attribute is set to true and the corresponding endpoints are displayed in the Context Visibility page.<BR />Enable Anomalous Behavior Enforcement—A CoA is issued if anomalous behavior is detected. The suspicious endpoints are reauthorized based on the authorization rules configured in the Profiler Configuration page.</P><P>&nbsp;</P><P><BR />Is any connect required for active anomaly detection. Because once a device is profiled and categorized, ISE will not re-categorized that device again untill removed from the database.&nbsp;</P><P>Or&nbsp;</P><P>ISE will always profile the device whenever it receive an authentication&nbsp; request from the device.&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>MD</P> Fri, 31 May 2019 10:35:20 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-profiling/m-p/3865678#M24798 munish.dhiman1 2019-05-31T10:35:20Z https://community.cisco.com/t5/network-access-control/cisco-ise-profiling/m-p/3865729#M24799 So you should not need Anyconnect as it is not required for anomalous detection. One thing I would be cautious of is if you enable anomalous detection it is an all or nothing thing. Meaning you cannot tweak what it will use. I have asked if it has been road mapped, but have yet to hear. By default it will use the following to determine changes: Endpoint Policy DHCP Class ID NAS-Port-Type<BR />Also, ISE will re-categorize devices if you deploy profiles with higher MCFs and devices hit and match on those instead of a Cisco out of the box defined profile.<BR />Check this out: <A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html</A><BR />HTH!<BR /> Fri, 31 May 2019 12:39:23 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-profiling/m-p/3865729#M24799 Mike.Cifelli 2019-05-31T12:39:23Z