Solved: Anomalous Behavior Exclusions

Daniel Lucas · ‎05-10-2019

I am running into a situation where I have some WDS PXE endpoints in my environment that are triggering the anomalous behavior flag. Reviewing the logs in ISE shows that the DHCP class-id changes from MSFT 5.0 to PXEClient; I am assuming when they reboot. Is there a way to exclude endpoints from being flagged as anomalous behavior? I am running ISE 2.6, and don't see much in terms of configuration except for a check box to enable; documentation doesn't show any additional options either.

-Thanks

yalbikaw · ‎05-10-2019

actually its hard to find a work around on this since,

the anomalous detection uses only 3 things

nas-port-type, class ID for dhcp and endpoint policy change.

these parameters are not configurable, maybe we can address this for enhancement to give the admin more control on the conditions for anomalous detection.

View solution in original post

yalbikaw · ‎05-10-2019

actually its hard to find a work around on this since,

the anomalous detection uses only 3 things

nas-port-type, class ID for dhcp and endpoint policy change.

these parameters are not configurable, maybe we can address this for enhancement to give the admin more control on the conditions for anomalous detection.