https://community.cisco.com/t5/network-access-control/why-does-anomalous-behaviour-triggered-when-epoint-lastactiv-is/m-p/4491353#M570625 <P>Hi Mikhail</P><P>i have similar problem with some&nbsp; endpoints in one account. so far it looked like endpoint was cycling DHCP procedure from wrong VLAN. interesting is it was able to obtain IP-addressing (every time new IP or in cycle) whilst it shouldnt. i'm still in investigation process (DHCP-relays &amp; DHCP-servers r out of my mgmt authority) but i'm pretty sure the change of addressing enforces accounting request turned into misconfigured NAD detected alert on ISE.</P> Sun, 24 Oct 2021 17:16:32 GMT Andrii Oliinyk 2021-10-24T17:16:32Z https://community.cisco.com/t5/network-access-control/why-does-anomalous-behaviour-triggered-when-epoint-lastactiv-is/m-p/4466792#M569697 <P>We have ISE 2.7 with patch4.</P><P><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>Some endpoints are defined by ISE as "AnomalousBehaviour true"<BR /></SPAN></SPAN></SPAN></P><P>But I don't understand why ISE triggered for <SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>these</SPAN></SPAN></SPAN> endpoints.</P><P>I found this via the show logging application profiler.log</P><P>&nbsp;</P><P>Endpoint LastActivity is null/empty. Updating it with updatetime<BR />MAC: XX:XX:XX:XX:XX:XX Significant attribue: AnomalousBehaviour new value: true old value: null</P><P>&nbsp;</P><P><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>How to resolve it?</SPAN></SPAN></SPAN></P><P>&nbsp;</P> Wed, 15 Sep 2021 09:03:50 GMT https://community.cisco.com/t5/network-access-control/why-does-anomalous-behaviour-triggered-when-epoint-lastactiv-is/m-p/4466792#M569697 MikhailDemekhov96072 2021-09-15T09:03:50Z https://community.cisco.com/t5/network-access-control/why-does-anomalous-behaviour-triggered-when-epoint-lastactiv-is/m-p/4466836#M569698 Hi,<BR /><BR />This is triggered by one of the following conditions (these can be viewed<BR />from profiler.log).<BR /><BR /><BR /> 1. NAS-Port-Type - Determines if the access method of this endpoint has<BR /> changed. For example, if the same MAC address that connected via Wired<BR /> Dot1x is used for Wireless Dot1x and visa-versa.<BR /><BR /> 2. DHCP Class ID - Determines whether the type of client/vendor of<BR /> endpoint has changed. This only applies when DHCP class ID attribute is<BR /> populated with a certain value and is then changed to another value. If an<BR /> endpoint is configured with a static IP, the DHCP class ID attribute will<BR /> not be populated on ISE. Later on, if another device spoofs the MAC address<BR /> and uses DHCP, the Class ID will change from an empty value to a specific<BR /> string. This will not trigger Anomouls Behaviour detection.<BR /><BR /> 3. Endpoint Policy - A change in endpoint profile from Printer or IP<BR /> phone to Workstation.<BR /><BR /><BR />See this doc for more information and how to disable it.<BR /><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html</A><BR /><BR />**** please remember to rate useful posts<BR /><BR /> Wed, 15 Sep 2021 10:20:10 GMT https://community.cisco.com/t5/network-access-control/why-does-anomalous-behaviour-triggered-when-epoint-lastactiv-is/m-p/4466836#M569698 Mohammed al Baqari 2021-09-15T10:20:10Z https://community.cisco.com/t5/network-access-control/why-does-anomalous-behaviour-triggered-when-epoint-lastactiv-is/m-p/4467007#M569707 <P>Thank for your reply!</P><P>But <SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>I could not find</SPAN></SPAN></SPAN> change for these AttrName in the profiler.log</P><P>I found:<BR />Significant attribute change detected, persisting EP: D0:BF:9C:33:05:0B</P><P>:D0:BF:9C:33:05:0B:c675b270-154d-11ec-a66d-02422d8e8bc0::- Endpoint LastActivity is null/empty. Updating it with updatetime<BR />com.cisco.profiler.im.EndPoint -:D0:BF:9C:33:05:0B:c675b270-154d-11ec-a66d-02422d8e8bc0::- MAC: D0:BF:9C:33:05:0B Significant attribue: AnomalousBehaviour new value: true old value: null</P><P>&nbsp;</P><P><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>What could be the reasons for this behavior?</SPAN></SPAN></SPAN></P> Wed, 15 Sep 2021 14:00:51 GMT https://community.cisco.com/t5/network-access-control/why-does-anomalous-behaviour-triggered-when-epoint-lastactiv-is/m-p/4467007#M569707 MikhailDemekhov96072 2021-09-15T14:00:51Z https://community.cisco.com/t5/network-access-control/why-does-anomalous-behaviour-triggered-when-epoint-lastactiv-is/m-p/4491353#M570625 <P>Hi Mikhail</P><P>i have similar problem with some&nbsp; endpoints in one account. so far it looked like endpoint was cycling DHCP procedure from wrong VLAN. interesting is it was able to obtain IP-addressing (every time new IP or in cycle) whilst it shouldnt. i'm still in investigation process (DHCP-relays &amp; DHCP-servers r out of my mgmt authority) but i'm pretty sure the change of addressing enforces accounting request turned into misconfigured NAD detected alert on ISE.</P> Sun, 24 Oct 2021 17:16:32 GMT https://community.cisco.com/t5/network-access-control/why-does-anomalous-behaviour-triggered-when-epoint-lastactiv-is/m-p/4491353#M570625 Andrii Oliinyk 2021-10-24T17:16:32Z