https://community.cisco.com/t5/network-access-control/ise-2-3-anomalous-endpoint-detection/m-p/3478853#M520572 <HTML><HEAD></HEAD><BODY><P>Hi Experts,</P><P></P><P>Referring to an older discussion: <A href="https://cisco.jiveon.com/message/415834?commentID=415834#comment-415834" title="https://cisco.jiveon.com/message/415834?commentID=415834#comment-415834">https://cisco.jiveon.com/message/415834?commentID=415834#comment-415834</A></P><P>It's mentioned that detection will work based on dhcp class id change and endpoint ID group change.</P><P></P><P>There is a customer facing document mentioning 4 parameters:</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-Configure-Anomalous-Endpoint-Detection-a.html" style="font-size: 10pt;" title="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-Configure-Anomalous-Endpoint-Detection-a.html">Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2 - Cisco</A></P><P></P><P>The information is a little conflicting and I just wanted clarification on what conditions will anomalous endpoint detection trigger?&nbsp; We know that detection based on dhcp-class-id works.&nbsp; If the other parameters mentioned are incorrect or not considered for detection, i will get the external document edited to reflect the current status of the feature: </P><OL style="margin-top: 10px; margin-bottom: 10px; margin-left: 15px; font-size: 14px; font-family: CiscoSans, Arial, sans-serif; list-style-position: inside; list-style-image: initial; color: #58585b;"><LI><SPAN style="font-style: inherit; font-weight: bold; font-size: inherit; font-family: inherit;">NAS-Port-Type</SPAN> - Determines if the access method of this endpoint has changed. For example, if the same MAC address that connected via Wired Dot1x has been used for Wireless Dot1x and visa-versa.</LI><LI><SPAN style="font-style: inherit; font-weight: bold; font-size: inherit; font-family: inherit;">DHCP Class ID</SPAN> - Determines whether the type of client/vendor of endpoint has changed.</LI><LI><SPAN style="font-style: inherit; font-weight: bold; font-size: inherit; font-family: inherit;">Operating System - </SPAN>Significant OS changes such as Windows to Apple iOS.</LI><LI><SPAN style="font-style: inherit; font-weight: bold; font-size: inherit; font-family: inherit;">Endpoint Policy - </SPAN>Significant profile changes. For example, a change from Phone or Printer to PC.</LI></OL><P></P><P>Thanks!</P></BODY></HTML> Mon, 23 Oct 2017 19:53:16 GMT Devrat Kamath 2017-10-23T19:53:16Z https://community.cisco.com/t5/network-access-control/ise-2-3-anomalous-endpoint-detection/m-p/3478853#M520572 <HTML><HEAD></HEAD><BODY><P>Hi Experts,</P><P></P><P>Referring to an older discussion: <A href="https://cisco.jiveon.com/message/415834?commentID=415834#comment-415834" title="https://cisco.jiveon.com/message/415834?commentID=415834#comment-415834">https://cisco.jiveon.com/message/415834?commentID=415834#comment-415834</A></P><P>It's mentioned that detection will work based on dhcp class id change and endpoint ID group change.</P><P></P><P>There is a customer facing document mentioning 4 parameters:</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-Configure-Anomalous-Endpoint-Detection-a.html" style="font-size: 10pt;" title="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-Configure-Anomalous-Endpoint-Detection-a.html">Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2 - Cisco</A></P><P></P><P>The information is a little conflicting and I just wanted clarification on what conditions will anomalous endpoint detection trigger?&nbsp; We know that detection based on dhcp-class-id works.&nbsp; If the other parameters mentioned are incorrect or not considered for detection, i will get the external document edited to reflect the current status of the feature: </P><OL style="margin-top: 10px; margin-bottom: 10px; margin-left: 15px; font-size: 14px; font-family: CiscoSans, Arial, sans-serif; list-style-position: inside; list-style-image: initial; color: #58585b;"><LI><SPAN style="font-style: inherit; font-weight: bold; font-size: inherit; font-family: inherit;">NAS-Port-Type</SPAN> - Determines if the access method of this endpoint has changed. For example, if the same MAC address that connected via Wired Dot1x has been used for Wireless Dot1x and visa-versa.</LI><LI><SPAN style="font-style: inherit; font-weight: bold; font-size: inherit; font-family: inherit;">DHCP Class ID</SPAN> - Determines whether the type of client/vendor of endpoint has changed.</LI><LI><SPAN style="font-style: inherit; font-weight: bold; font-size: inherit; font-family: inherit;">Operating System - </SPAN>Significant OS changes such as Windows to Apple iOS.</LI><LI><SPAN style="font-style: inherit; font-weight: bold; font-size: inherit; font-family: inherit;">Endpoint Policy - </SPAN>Significant profile changes. For example, a change from Phone or Printer to PC.</LI></OL><P></P><P>Thanks!</P></BODY></HTML> Mon, 23 Oct 2017 19:53:16 GMT https://community.cisco.com/t5/network-access-control/ise-2-3-anomalous-endpoint-detection/m-p/3478853#M520572 Devrat Kamath 2017-10-23T19:53:16Z https://community.cisco.com/t5/network-access-control/ise-2-3-anomalous-endpoint-detection/m-p/3478854#M520574 <HTML><HEAD></HEAD><BODY><P>(3) OS is not a direct attribute used in Anomalous Behavior Detection (ABD) Phase 1. It might be implied from 2 and 4.</P></BODY></HTML> Tue, 24 Oct 2017 04:33:31 GMT https://community.cisco.com/t5/network-access-control/ise-2-3-anomalous-endpoint-detection/m-p/3478854#M520574 hslai 2017-10-24T04:33:31Z https://community.cisco.com/t5/network-access-control/ise-2-3-anomalous-endpoint-detection/m-p/3478855#M520579 <HTML><HEAD></HEAD><BODY><P>Thanks Hsing, that makes sense.&nbsp; I spoke to Hariprasad over Jabber and he mentioned as of now the feature requires DHCP-Class-ID to detect the change.&nbsp; In most cases where i speak to customers, we don't expect that a spoofed device will request a DHCP IP, it uses a static IP and spoofs the MAC address. The RADIUS probe MAC OUI won't change and because of lack of other attributes, an OS change or re-profile doesn't trigger and the anomalous detection stays dormant.&nbsp; What are our mandatory conditions for the anomalous detection to trigger is what I'm trying to figure out.</P></BODY></HTML> Thu, 26 Oct 2017 19:19:34 GMT https://community.cisco.com/t5/network-access-control/ise-2-3-anomalous-endpoint-detection/m-p/3478855#M520579 Devrat Kamath 2017-10-26T19:19:34Z https://community.cisco.com/t5/network-access-control/ise-2-3-anomalous-endpoint-detection/m-p/3478856#M520582 <HTML><HEAD></HEAD><BODY><P>See <A href="https://community.cisco.com/message/276519">Re: Anomalous client detection behaviour</A> where this topic is covered and specific conditions spelled out.&nbsp; The following TZ article has since been updated as well to more clearly spell out current logic as of ISE 2.3.</P><P><A href="https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/Configure-Anomalous-Endpoint-Detection-and-Enforcement-on-ISE-2/ta-p/1010523" title="https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/Configure-Anomalous-Endpoint-Detection-and-Enforcement-on-ISE-2/ta-p/1010523">https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/Configure-Anomalous-Endpoint-Detection-and-Enforcement-on-ISE…</A></P><P></P><P>Craig</P></BODY></HTML> Sat, 16 Dec 2017 00:16:36 GMT https://community.cisco.com/t5/network-access-control/ise-2-3-anomalous-endpoint-detection/m-p/3478856#M520582 Craig Hyps 2017-12-16T00:16:36Z https://community.cisco.com/t5/network-access-control/ise-2-3-anomalous-endpoint-detection/m-p/3905509#M520586 <P>Is there an article for public viewing?</P> Thu, 08 Aug 2019 18:03:03 GMT https://community.cisco.com/t5/network-access-control/ise-2-3-anomalous-endpoint-detection/m-p/3905509#M520586 BrianPersaud 2019-08-08T18:03:03Z