topic Re: anomalous client detection - how to remove client in Network Access Control

anomalous client detection - how to remove client

greg2.0 — Fri, 16 Sep 2016 14:56:15 GMT

Clients are getting caught by the anomalous client detection function in ISE. The list of clients can be displayed via the misconfigured supplicants report. Is there a way to remove a device from this list to allow it to attempt to reconnect before the timer expires?

Thanks

Greg

Re: anomalous client detection - how to remove client

Jason Kunst — Fri, 16 Sep 2016 15:01:48 GMT

What version of ISE

Re: anomalous client detection - how to remove client

greg2.0 — Fri, 16 Sep 2016 15:05:00 GMT

1.4 patch 3

Re: anomalous client detection - how to remove client

Jason Kunst — Fri, 16 Sep 2016 15:45:41 GMT

Please check out aawoland blog that discusses this and shows the mechanisms to disable, there is screenshot for ISE 2.0

http://www.networkworld.com/article/3053669/security/troubleshooting-ciscos-ise-without-tac.html

Re: anomalous client detection - how to remove client

greg2.0 — Fri, 16 Sep 2016 15:58:57 GMT

Thanks Jason.

To clarify, will disabling log suppression for the single client also remove the client from the anomalous blacklist? Right now system is configured to reject requests for 60 minutes.

Re: anomalous client detection - how to remove client

Jason Kunst — Fri, 16 Sep 2016 16:02:45 GMT

It will remove it for 1 hour, if its acting correctly then it won't be put back into the bad list

Re: anomalous client detection - how to remove client

Jason Kunst — Tue, 20 Sep 2016 14:54:06 GMT

Further clarification

Key difference is whether client hits Access-Reject or not.

If client is simply flagged anomalous, then PSN suppresses the sending of logs to MnT, but auth fully processed as Hsing noted. I think it is possible to bypass suppression if simply flagged anomalous. However, if client marked for Access Reject, PSN no longer processes the requests for the rejection interval which can be set as low as 5 min. If bypass suppression at this point, I don’t think client will be removed from access-reject response.

Re: anomalous client detection - how to remove client

hslai — Tue, 20 Sep 2016 21:19:41 GMT

If you are using the default setting for [ Request Rejection Interval ], which is 60 minutes, then the endpoint will jail for an hour.

To be able to allow the endpoint fully re-evaluated for authentications, the options are:

Create a collection filter to by-pass the suppression on the endpoint MAC address.
Lower the request rejection interval for anomalous client detection.
Disable the option to suppress anomalous clients. <-- OK for lab testing but not recommended for production.

Re: anomalous client detection - how to remove client

ajc — Tue, 20 Sep 2016 21:40:15 GMT

One additional question:

Based on my testing and the following note from Aaron Rowand (Cisco Expert), when the authentication fails TWICE no matter the DETECTION INTERVAL you have configured, the MAC address is added to the suppression list so any AUTHC request is rejected.

Detection Interval will flag misbehaving supplicants when they fail authentication more than once per interval.

BTW, looks like this behavior only applies to MAB AUTHC because I tried on PEAP using AD valid credentials and nothing happened with the MAC of the device failing the authentication (only I locked the AD acct after multiple wrong passwords). More testing in progress.

thanks

Re: anomalous client detection - how to remove client

hslai — Tue, 20 Sep 2016 21:55:24 GMT

1 minutes is the minimal value for the detection interval. Thus, an endpoint will get flagged as misbehaving in case 2+ consecutive failures within a minute. If failing only once every few minutes while the detection interval sets to 1 minute, then all the auth failures will be shown in M&T.