https://community.cisco.com/t5/network-access-control/anomalous-behaviour-not-alerting/m-p/3420378#M535831 <HTML><HEAD></HEAD><BODY><P>As a follow up, we closed on this offline by describing options to set DHCP options in Linux.</P><P></P><P>Craig</P></BODY></HTML> Tue, 16 May 2017 20:23:29 GMT Craig Hyps 2017-05-16T20:23:29Z https://community.cisco.com/t5/network-access-control/anomalous-behaviour-not-alerting/m-p/3420375#M535828 <HTML><HEAD></HEAD><BODY><P>Hello, </P><P></P><P>I am trying to work in my lab with the anomalies detection capability.</P><P>I have followed the guide from TAC on it (<A href="http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-Configure-Anomalous-Endpoint-Detection-a.html" title="http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-Configure-Anomalous-Endpoint-Detection-a.html">Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2 - Cisco</A>) but it does not seem to be working as it should.</P><P></P><P>I have enabled only visibility and not enforcement.</P><UL><LI>I have 2 clients, one Windows and one Linux. They both are profiled fine. Then I turn off the Windows machine, and make sure the session is ended. I spoof on the Linux machine the MAC of the Windows and I connected it to the network again.</LI><LI>I see the profile changing from Windows ti Linux, but no anomalous behavior is set.</LI><LI>I look at the debug, but I have no entry for anomalous behavior as per the guide.</LI></UL><P>The only entry I have on the ISE GUI (and on the log file), is the following</P><P></P><TABLE><TBODY><TR><TD>4= DEVICE.Device Type, 5=Dot1x, 72=All_User_ID_Stores, 73=Internal Users, 76=All_AD_Join_Points, 77=All_AD_Join_Points, 78=TRUSTSEC\\employee1, 79=trustsec.local, 80=trustsec.local, 82=employee1@trustsec.local, 83=All_AD_Join_Points, 100=ad, 101=CLIENT-WIN7-HQ$@trustsec.local, 102=trustsec.local, 103=trustsec.local, 104=trustsec.local, 106=ad, 110= Session.EPSStatus, 111= EndPoints.AnomalousBehaviour, 112= EndPoints.EndPointPolicy, 113= CERTIFICATE.Subject - Common Name, 114=ad, 115=trustsec.local, 116=ad, 117=trustsec.local, 118=ad, 119=ad, 120= ad.ExternalGroups, 121= PassiveID.PassiveID_Groups, 122= Radius.Calling-Station-ID, 123= Normalised Radius.RadiusFlowType, 124=Employees</TD></TR></TBODY></TABLE><P></P><P></P><P>What should I do to have it working? Am I doing anything wrong?</P><P></P><P>Thanks</P></BODY></HTML> Tue, 16 May 2017 13:55:32 GMT https://community.cisco.com/t5/network-access-control/anomalous-behaviour-not-alerting/m-p/3420375#M535828 martucci 2017-05-16T13:55:32Z https://community.cisco.com/t5/network-access-control/anomalous-behaviour-not-alerting/m-p/3420376#M535829 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>For both the Windows and Linux endpoints, the DHCP class-identifier must reach ISE. What value do you see in both the cases (in Endpoint Context Visibility) ?</P><P></P><P>-Hari</P></BODY></HTML> Tue, 16 May 2017 15:14:14 GMT https://community.cisco.com/t5/network-access-control/anomalous-behaviour-not-alerting/m-p/3420376#M535829 hariholla 2017-05-16T15:14:14Z https://community.cisco.com/t5/network-access-control/anomalous-behaviour-not-alerting/m-p/3420377#M535830 <HTML><HEAD></HEAD><BODY><P>Thanks Hari,</P><P></P><P>Turns out Ubuntu does not send the class-identifier, so that is stuck in Microsoft</P></BODY></HTML> Tue, 16 May 2017 16:05:19 GMT https://community.cisco.com/t5/network-access-control/anomalous-behaviour-not-alerting/m-p/3420377#M535830 martucci 2017-05-16T16:05:19Z https://community.cisco.com/t5/network-access-control/anomalous-behaviour-not-alerting/m-p/3420378#M535831 <HTML><HEAD></HEAD><BODY><P>As a follow up, we closed on this offline by describing options to set DHCP options in Linux.</P><P></P><P>Craig</P></BODY></HTML> Tue, 16 May 2017 20:23:29 GMT https://community.cisco.com/t5/network-access-control/anomalous-behaviour-not-alerting/m-p/3420378#M535831 Craig Hyps 2017-05-16T20:23:29Z