topic Anomalous Behavior Exclusions in Network Access Control

Anomalous Behavior Exclusions

Daniel Lucas — Fri, 10 May 2019 13:42:36 GMT

I am running into a situation where I have some WDS PXE endpoints in my environment that are triggering the anomalous behavior flag. Reviewing the logs in ISE shows that the DHCP class-id changes from MSFT 5.0 to PXEClient; I am assuming when they reboot. Is there a way to exclude endpoints from being flagged as anomalous behavior? I am running ISE 2.6, and don't see much in terms of configuration except for a check box to enable; documentation doesn't show any additional options either.

-Thanks

Re: Anomalous Behavior Exclusions

yalbikaw — Fri, 10 May 2019 15:48:30 GMT

actually its hard to find a work around on this since,

the anomalous detection uses only 3 things

nas-port-type, class ID for dhcp and endpoint policy change.

these parameters are not configurable, maybe we can address this for enhancement to give the admin more control on the conditions for anomalous detection.