04-03-2018 05:19 AM
Our testing use cases included
1. client on wireless .1x(Android phone), Malicious user on wired MAB(windows 10 workstation)
2. client on wired MAB(cisco IP-phone), Malicious user on wired MAB(windows 10 workstation)
The case number 1 has succeeded, but for case 2, these are the following problems:
1-Anomalous behaviour is showing nothing.
2-Debug the endpoint is showing nothing.
3-The worksation (attacker) has been placed in the correct authenticatin and authorization policies( voice VLAN) but can't ping my gateway.
Regarding case 1, is it true that the real endpoint should be shown in Anomalous client detection behaviour page or the attacker endpoint.
Any documents or suggestions.
Solved! Go to Solution.
04-03-2018 07:03 AM
Please review Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2 - Cisco
It is important to understand if one of the matching criteria for Anomaly has been met. For example, changing from wireless to wired (or vice versa) is straight forward as this is captured as part of the RADIUS probe (enabled by default). To determine if there was a profile change or change in DHCP data requires that you validate the before and after profile assignment of the spoofed MAC, and/or the before and after profile details of the spoofed MAC. Since there is no change to the malicious user's data, only to the "real" MAC being spoofed, it is the latter which is flagged as Anomalous. It is the anomaly in attributes associated with the original MAC address.
Craig
04-03-2018 07:03 AM
Please review Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2 - Cisco
It is important to understand if one of the matching criteria for Anomaly has been met. For example, changing from wireless to wired (or vice versa) is straight forward as this is captured as part of the RADIUS probe (enabled by default). To determine if there was a profile change or change in DHCP data requires that you validate the before and after profile assignment of the spoofed MAC, and/or the before and after profile details of the spoofed MAC. Since there is no change to the malicious user's data, only to the "real" MAC being spoofed, it is the latter which is flagged as Anomalous. It is the anomaly in attributes associated with the original MAC address.
Craig
04-04-2018 02:11 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: