cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1201
Views
0
Helpful
2
Replies

ISE-Anomalous client detection behaviour

Ayman El-BACHA
Level 1
Level 1

Our testing use cases included

1. client on wireless .1x(Android phone), Malicious user on wired MAB(windows 10 workstation)

2. client on wired MAB(cisco IP-phone), Malicious user on wired MAB(windows 10 workstation)

The case number 1 has succeeded, but for case 2, these are the following problems:

1-Anomalous behaviour is showing nothing.

2-Debug the endpoint is showing nothing.

3-The worksation (attacker) has been placed in the correct authenticatin and authorization policies( voice VLAN)  but can't ping my gateway.

Regarding case 1, is it true that the real endpoint should be shown in Anomalous client detection behaviour page or the attacker endpoint.

Any documents or suggestions.

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

Please review Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2 - Cisco

It is important to understand if one of the matching criteria for Anomaly has been met.  For example, changing from wireless to wired (or vice versa) is straight forward as this is captured as part of the RADIUS probe (enabled by default).  To determine if there was a profile change or change in DHCP data requires that you validate the before and after profile assignment of the spoofed MAC, and/or the before and after profile details of the spoofed MAC.  Since there is no change to the malicious user's data, only to the "real" MAC being spoofed, it is the latter which is flagged as Anomalous.    It is the anomaly in attributes associated with the original MAC address.

Craig

View solution in original post

2 Replies 2

Craig Hyps
Level 10
Level 10

Please review Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2 - Cisco

It is important to understand if one of the matching criteria for Anomaly has been met.  For example, changing from wireless to wired (or vice versa) is straight forward as this is captured as part of the RADIUS probe (enabled by default).  To determine if there was a profile change or change in DHCP data requires that you validate the before and after profile assignment of the spoofed MAC, and/or the before and after profile details of the spoofed MAC.  Since there is no change to the malicious user's data, only to the "real" MAC being spoofed, it is the latter which is flagged as Anomalous.    It is the anomaly in attributes associated with the original MAC address.

Craig

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: