topic Re: Enable anomalous behavior enforcement on ISE 3.1 in Network Access Control

Enable anomalous behavior enforcement on ISE 3.1

Da ICS16 — Mon, 06 May 2024 11:34:29 GMT

Dear Community,

We use ISE 3.1 P6

we notice there are some anomalous behavior endpoints increase day by day.

There are some endpoint not connected long time, some PCs hit Default policy, some PCs are status connecting including MAB profiling.

Is there any impact with ISE performance and current PCs and all MAB profiling if enable feature Enforcement?

Kindly share goof practice and recommend to enhance more visibility and under managed from ISE.

Thanks,

Re: Enable anomalous behavior enforcement on ISE 3.1

Arne Bier — Mon, 06 May 2024 22:58:22 GMT

I would not enable Anomaly Enforcement until I knew exactly that these are not false positives. I have never used this feature and quite frankly, I don't see it being very useful, since ISE doesn't give us any nerd knobs to tune the logic of what is considered to be "anomalous". It's not flexible. When I see counters increasing, I always try to find the reason WHY. And so far I have never had that "ah ha" moment where I realise there is a problem in the network. In my experience so far, ISE doesn't tell you anything useful - it will say that a profile changed from Windows 10 to Windows 10. Yeah right - thanks.

The only time I have seen anomaly detection catch a real anomaly, was with one brand of desk phone, that for some stupid reason, executed DHCP twice during boot up. First time around, it boots up as a Linux OS, and then once it's semi-booted up, another IP stack initialises, and presents itself as an MSFT (Microsoft) - but this is expected normal for this vendor product.

Have you looked into any of your own anomalies so far, and if so, what have you found?

Re: Enable anomalous behavior enforcement on ISE 3.1

Da ICS16 — Fri, 31 May 2024 04:36:22 GMT

Dear @Arne Bier ,

We tried workaround by remove some offline endpoint like printer from context visibility.

Next few days it will come back flag as Anomalous Behavior. That printer we created as profiling based on OUI mac address.

Thanks,

Re: Enable anomalous behavior enforcement on ISE 3.1

Arne Bier — Fri, 31 May 2024 04:56:21 GMT

Not sure if this is your problem, but it's not uncommon for older ISE releases to have bugs - ISE 3.1 is getting a bit "old" already. Might be worth upgrading. Have a look through the ISE Dashboard (click on Anomalous counter) to see if you can spot the reason why the endpoint was flagged as Anomalous. I doesn't tell you there and then - might need to dig around the Operations Reports too. Operations > Reports > Endpoints and Users > Profiled Endpoint Summary

Locate the MAC address there and click on "Raw Log"