Hello,
I am trying to work in my lab with the anomalies detection capability.
I have followed the guide from TAC on it (Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2 - Cisco) but it does not seem to be working as it should.
I have enabled only visibility and not enforcement.
- I have 2 clients, one Windows and one Linux. They both are profiled fine. Then I turn off the Windows machine, and make sure the session is ended. I spoof on the Linux machine the MAC of the Windows and I connected it to the network again.
- I see the profile changing from Windows ti Linux, but no anomalous behavior is set.
- I look at the debug, but I have no entry for anomalous behavior as per the guide.
The only entry I have on the ISE GUI (and on the log file), is the following
| 4= DEVICE.Device Type, 5=Dot1x, 72=All_User_ID_Stores, 73=Internal Users, 76=All_AD_Join_Points, 77=All_AD_Join_Points, 78=TRUSTSEC\\employee1, 79=trustsec.local, 80=trustsec.local, 82=employee1@trustsec.local, 83=All_AD_Join_Points, 100=ad, 101=CLIENT-WIN7-HQ$@trustsec.local, 102=trustsec.local, 103=trustsec.local, 104=trustsec.local, 106=ad, 110= Session.EPSStatus, 111= EndPoints.AnomalousBehaviour, 112= EndPoints.EndPointPolicy, 113= CERTIFICATE.Subject - Common Name, 114=ad, 115=trustsec.local, 116=ad, 117=trustsec.local, 118=ad, 119=ad, 120= ad.ExternalGroups, 121= PassiveID.PassiveID_Groups, 122= Radius.Calling-Station-ID, 123= Normalised Radius.RadiusFlowType, 124=Employees |
What should I do to have it working? Am I doing anything wrong?
Thanks
