topic ISE-Anomalous client detection behaviour in Network Access Control

ISE-Anomalous client detection behaviour

Ayman El-BACHA — Tue, 03 Apr 2018 12:19:50 GMT

Our testing use cases included

1. client on wireless .1x(Android phone), Malicious user on wired MAB(windows 10 workstation)

2. client on wired MAB(cisco IP-phone), Malicious user on wired MAB(windows 10 workstation)

The case number 1 has succeeded, but for case 2, these are the following problems:

1-Anomalous behaviour is showing nothing.

2-Debug the endpoint is showing nothing.

3-The worksation (attacker) has been placed in the correct authenticatin and authorization policies( voice VLAN) but can't ping my gateway.

Regarding case 1, is it true that the real endpoint should be shown in Anomalous client detection behaviour page or the attacker endpoint.

Any documents or suggestions.

Re: ISE-Anomalous client detection behaviour

Craig Hyps — Tue, 03 Apr 2018 14:03:44 GMT

Please review Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2 - Cisco

It is important to understand if one of the matching criteria for Anomaly has been met. For example, changing from wireless to wired (or vice versa) is straight forward as this is captured as part of the RADIUS probe (enabled by default). To determine if there was a profile change or change in DHCP data requires that you validate the before and after profile assignment of the spoofed MAC, and/or the before and after profile details of the spoofed MAC. Since there is no change to the malicious user's data, only to the "real" MAC being spoofed, it is the latter which is flagged as Anomalous. It is the anomaly in attributes associated with the original MAC address.

Craig

Re: ISE-Anomalous client detection behaviour

Ayman El-BACHA — Wed, 04 Apr 2018 09:11:05 GMT