I just did a test in lab. As shown above, I connect a meraki AP to switch_A and got in via MAB. I connect my laptop to switch_B and got in via dot1x. So far so good.

I then change my laptop MAC to that of meraki AP and login via dot1x on switch_B again. As shown above, ISE did not flag laptop as bad client. It change my laptop profile to meraki profile and allow both my laptop and meraki to continue working on network.

Is this the correct behavior?

But if I use my iphone and connect via wireless dot1x, then change my laptop MAC to my iphone MAC and come in via wired MAB, ISE does flag my laptop as bad client and CoA my laptop.

So the conclusion seem to be that if both client of same MAC come in via different switch, ISE cannot detect it as bad client and still continue to allow them on the network. Worst, it change the profile of one of them.

Appreciate for your advise.

Regards &

Have a nice day

Hi, I have ISE 2.4 Patch 5,Wireless deployment only, ISE has categorize a endpoint that endpoint profiling from Microsoft-Workstation > Window 10-Workstation, but this is not consider massive behavioral change, look like just something else wrong 

Hi Krishan,

Our testing shows that use case 2 doesn't trigger a CoA.

There was a endpoint profile change, ISE detected it and there was a corresponding MACSpoofing event in the profiling log

"2017-12-04 06:47:27,944 DEBUG  [MACSpoofingEventHandler-30-thread-1][] profiler.infrastructure.probemgr.event.MACSpoofingEventHandler -:ProfilerCollection:- Received AttrsModifiedEvent in MACSpoofingEventHandler MAC: 00:18:0A:F0:C5:30"

but that did not trigger a CoA to happen, which brings me back to my original question, do we need 1 or 2 changes to trigger a Coa for anomalous detection to happen??

tks

-Terence

I will again be clear as to what will and will not trigger anomalous behavior:

1) Change in media from WIred to Wireless (or vice-versa) as indicated by NAS-Port-Type

2) Change in DHCP-Class-Identifier from one value to and non-empty value

3) Change in endpoint profile from printer or IP phone to Workstation.

I asked the author of TZ article to update the document to be more clear.  He kindly added the notes about examples per #3 above, but there is still ambiguity regarding detection of general profile changes.

General profile changes were deliberately NOT part of ruleset as that would have generated thousands of false positives and potentially become a major self-inflicted DoS attack.  Just look at your profile change summary report and realize all of those would have been flagged anomalous and potentially locked it remediation with CoA enabled.

If you have enabled remediation option and are not seeing CoA for legitimate case per items noted above, then you will need to open TAC case to troubleshoot.

Regards,
Craig

Hi Craig and Team,

any advise for my test in lab? This can be easily reproduced. I am using IOS DHCP server on switch to issue DHCP IP address to client. My wireless AP is a flexconnect AP and wireless client will get IP address from switch IOS DHCP too.

I am in competition with two other vendor and they all can do it except ISE. The use case for this global banking customer is to make sure no one spoof the printer MAC or any other device that are using MAB, to gain access into network. I have tested this in their environment and it don't work, thus I re-create this in lab.

Is this normal behavior of ISE? Or it should work and I need to open a TAC case and troubleshoot?

Regards &

Have a nice day

What can be easily reproduced?

Anomaly Detection is currently based on the rules outlined above. If meeting the above criteria and detection not working, then may need to open case with TAC.  If ISE does not receive the relevant profile attributes, then no, ISE cannot detect anomaly.  Although not specifically called out, I suspect you are not getting DHCP data in ISE Profiler since you have enabled local DHCP server, in which case the SWITCH is unable to relay a copy of the packets.  This is not an ISE issue/limitation.  You could SPAN traffic, but more feasible and optimal solution is to enable the switch or wireless controller for Device Sensor.  This will send DHCP and much more via an efficient RADIUS packet.

Craig

Hi Craig,

I have open below case and re-produce the issue for TAC and TAC has capture the debug log. You can get all info in the case note, including the two switch config.

SR 683579173 :  ISE Anomalous client detection behaviour

I need to solve it and proof to customer that it does work by Dec 22. Else we will lost the regional ISE project to the other two competitor. Whatever help you or team can give me to solve this issue is much appreciated.

Regards &

Have a nice day

As I have tried to explain, what you are seeing is expected behavior if relying on IP Helper.  If the issue is that you are using Device Sensor AND DHCP does in fact show change in Class-Identifier value from one explicit (non-empty) value to another non-empty value, then this could be a known defect as another account reported similar issue in past couple months. 

If this is specifically an issue with anomaly detection with Device Sensor, have TAC engineer search for potential defect.  TAC engineer can also send me a note if looking for details of other case.

Craig

Thanks Craig,

I have put device sensor yesterday into my two switches and tested this morning. Yup, it works...:-)

But the next challenge I have is this customer has different brand of switches. They have Cisco switches, Avaya switches, HuaWei switches as well as Juniper switches. Those 3rd party switches might not have device sensor. Any suggestion to make anomalous client detection work across Cisco and 3rd party switches? SPAN the network?

Regards &

Have a nice day

Yes, there is a benefit over 3rd-party with Cisco switches!

SPAN is option, but not likely feasible to address this use case. Other options is to centralize DHCP.

If choose to provide local DHCP service with 3rd-party, then customer may not be able to detect anomalous behavior based on DHCP data.  Other mechanisms will continue to work such as change in media type for same MAC, or change in profile from phone/printer to workstation.