https://community.cisco.com/t5/network-access-control/clear-anomalous-behaviour/m-p/3937083#M456646 <P>I think it can be an indicator that something may not be right and worth digging into a particular endpoint to make sure it is a real issue or not.&nbsp; But I wouldn't trust it since it only fires in specific situations such as moving from phone to PC or vice versa.&nbsp; And it has a bug where it marks something anomalous when the DHCP Class Identifier changes.&nbsp; But it is normal for a Windows PC to present multiple DHCP Class Identifiers depending on what applications are installed.&nbsp; For example, the PC will send the normal MSFT-5.0 Class Identifier for the OS but then if Skype is installed, it will send another DHCP Class Identifier for Skype that looks like "MSFT-UC-Client".&nbsp; Some applications use the DHCP Class Identifier to locate resources like SIP servers, proxy configuration files, etc.</P><P>So if your environment only shows one or two anomalous endpoints here and there, then certainly dive in and investigate those machines.&nbsp; But don't automatically assume it is bad behavior.&nbsp; If you are seeing hundreds or thousands of anomalous machines, then it is likely because of a particular application.</P> Tue, 08 Oct 2019 12:56:18 GMT Colby LeMaire 2019-10-08T12:56:18Z https://community.cisco.com/t5/network-access-control/clear-anomalous-behaviour/m-p/3936505#M456641 <P>Hi All</P><P>&nbsp;</P><P>I'm running ISE 2.4 Patch 10.&nbsp; Besides deleting the mac address, is there another way to clear&nbsp;<SPAN>Anomalous Behaviour for the device?</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks</SPAN></P><P>&nbsp;</P><P><SPAN>Brian Persaud</SPAN></P> Mon, 07 Oct 2019 15:40:28 GMT https://community.cisco.com/t5/network-access-control/clear-anomalous-behaviour/m-p/3936505#M456641 BrianPersaud 2019-10-07T15:40:28Z https://community.cisco.com/t5/network-access-control/clear-anomalous-behaviour/m-p/3936668#M456643 <P>There is no way that I am aware of other than deleting the endpoint.&nbsp; From context visibility, you can export all endpoints to a CSV file.&nbsp; Massage the CSV file back into the import format.&nbsp; Delete the anomalous endpoints from ISE.&nbsp; Import the CSV file to get the endpoints back.&nbsp; You will lose profiling data but at least you can ensure that you don't lose any static assignments.&nbsp; It would be nice if they put an option in to reset the Anomalous Behavior attribute.</P> Mon, 07 Oct 2019 20:07:38 GMT https://community.cisco.com/t5/network-access-control/clear-anomalous-behaviour/m-p/3936668#M456643 Colby LeMaire 2019-10-07T20:07:38Z https://community.cisco.com/t5/network-access-control/clear-anomalous-behaviour/m-p/3937066#M456645 Hi Colby thanks for the info and for the tip as well. Just out of curiosity, how often do you use anomalous behaviour for deployments. For sure I know there is major security benefits with it but it is worth it operationally?<BR /><BR />Thanks Tue, 08 Oct 2019 12:10:59 GMT https://community.cisco.com/t5/network-access-control/clear-anomalous-behaviour/m-p/3937066#M456645 BrianPersaud 2019-10-08T12:10:59Z https://community.cisco.com/t5/network-access-control/clear-anomalous-behaviour/m-p/3937083#M456646 <P>I think it can be an indicator that something may not be right and worth digging into a particular endpoint to make sure it is a real issue or not.&nbsp; But I wouldn't trust it since it only fires in specific situations such as moving from phone to PC or vice versa.&nbsp; And it has a bug where it marks something anomalous when the DHCP Class Identifier changes.&nbsp; But it is normal for a Windows PC to present multiple DHCP Class Identifiers depending on what applications are installed.&nbsp; For example, the PC will send the normal MSFT-5.0 Class Identifier for the OS but then if Skype is installed, it will send another DHCP Class Identifier for Skype that looks like "MSFT-UC-Client".&nbsp; Some applications use the DHCP Class Identifier to locate resources like SIP servers, proxy configuration files, etc.</P><P>So if your environment only shows one or two anomalous endpoints here and there, then certainly dive in and investigate those machines.&nbsp; But don't automatically assume it is bad behavior.&nbsp; If you are seeing hundreds or thousands of anomalous machines, then it is likely because of a particular application.</P> Tue, 08 Oct 2019 12:56:18 GMT https://community.cisco.com/t5/network-access-control/clear-anomalous-behaviour/m-p/3937083#M456646 Colby LeMaire 2019-10-08T12:56:18Z https://community.cisco.com/t5/network-access-control/clear-anomalous-behaviour/m-p/3937406#M456648 <P>Thanks I will definitely dig in some more to get to the bottom of it.&nbsp; I will start with the DHCP identifier since they are indeed doing Skype for business</P> Tue, 08 Oct 2019 20:16:02 GMT https://community.cisco.com/t5/network-access-control/clear-anomalous-behaviour/m-p/3937406#M456648 BrianPersaud 2019-10-08T20:16:02Z