Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
1
Helpful
3
Replies

Anomalous Behaviour Criteria

Go to solution
nmaio
Level 1
Level 1

‎04-19-2018 06:43 AM

I have a few deployments where I am using EAP-FAST with chaining via the NAM module and noticing users that are moving from wireless to wired or visa versa are triggering Anomalous Behavior.  I believe this is due to the NAS port type change but I am trying to understand why that would be a criteria since the endpoint MAC would be different between those connections.  Any help would be appreciated.

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to nmaio

‎04-24-2018 08:32 PM

You are correct that wired and wireless endpoints having different MAC addresses.

I would suggest to engage TAC to debug this or at least you would need to turn DEBUG on profiling and check the log files whenever it happens. It's odd that any normal endpoints would switch profiling policies between printer/phone and workstation.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎04-19-2018 09:00 AM

Anomalous detection if enabled, is detected in case of 3 event-

ISE monitors any new information received for existing endpoints and checks if these attributes have changed:

  1. NAS-Port-Type - Determines if the access method of this endpoint has changed. For example, if the same MAC address that connected via Wired Dot1x is used for Wireless Dot1x and visa-versa.

  2. DHCP Class ID - Determines whether the type of client/vendor of endpoint has changed. This only applies when DHCP class ID attribute is populated with a certain value and is then changed to another value. If an endpoint is configured with a static IP, the DHCP class ID attribute will not be populated on ISE. Later on, if another device spoofs the MAC address and uses DHCP, the Class ID will change from an empty value to a specific string. This will not trigger Anomouls Behaviour detection.

  3. Endpoint Policy - A change in endpoint profile from Printer or IP phone to Workstation.

So looks like you are hitting the 1st case

0 Helpful

Go to solution
nmaio
Level 1
Level 1
In response to Nidhi

‎04-19-2018 10:46 AM

Nidhi,

Actually it appears to be the 3rd case but it seems drastic to say that a change from "Microsoft-Workstation" to the more accurate " Windows10-Workstation" would be a trigger.

pCapture.PNG

Has anyone else seen similar behavior?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to nmaio

‎04-24-2018 08:32 PM

You are correct that wired and wireless endpoints having different MAC addresses.

I would suggest to engage TAC to debug this or at least you would need to turn DEBUG on profiling and check the log files whenever it happens. It's odd that any normal endpoints would switch profiling policies between printer/phone and workstation.

0 Helpful
Customers Also Viewed These Support Documents