Solved: Re: anomalous client detection - how to remove client

greg2.0 · ‎09-16-2016

Clients are getting caught by the anomalous client detection function in ISE. The list of clients can be displayed via the misconfigured supplicants report. Is there a way to remove a device from this list to allow it to attempt to reconnect before the timer expires?

Thanks

Greg

Jason Kunst · ‎09-16-2016

Please check out aawoland blog that discusses this and shows the mechanisms to disable, there is screenshot for ISE 2.0

http://www.networkworld.com/article/3053669/security/troubleshooting-ciscos-ise-without-tac.html

View solution in original post

Jason Kunst · ‎09-16-2016

What version of ISE

greg2.0 · ‎09-16-2016

1.4 patch 3

Jason Kunst · ‎09-16-2016

Please check out aawoland blog that discusses this and shows the mechanisms to disable, there is screenshot for ISE 2.0

http://www.networkworld.com/article/3053669/security/troubleshooting-ciscos-ise-without-tac.html

greg2.0 · ‎09-16-2016

Thanks Jason.

To clarify, will disabling log suppression for the single client also remove the client from the anomalous blacklist? Right now system is configured to reject requests for 60 minutes.

Jason Kunst · ‎09-16-2016

It will remove it for 1 hour, if its acting correctly then it won't be put back into the bad list

Jason Kunst · ‎09-20-2016

Further clarification

Key difference is whether client hits Access-Reject or not.

If client is simply flagged anomalous, then PSN suppresses the sending of logs to MnT, but auth fully processed as Hsing noted. I think it is possible to bypass suppression if simply flagged anomalous. However, if client marked for Access Reject, PSN no longer processes the requests for the rejection interval which can be set as low as 5 min. If bypass suppression at this point, I don’t think client will be removed from access-reject response.

hslai · ‎09-20-2016

If you are using the default setting for [ Request Rejection Interval ], which is 60 minutes, then the endpoint will jail for an hour.

To be able to allow the endpoint fully re-evaluated for authentications, the options are:

Create a collection filter to by-pass the suppression on the endpoint MAC address.
Lower the request rejection interval for anomalous client detection.
Disable the option to suppress anomalous clients. <-- OK for lab testing but not recommended for production.

ajc · ‎09-20-2016

One additional question:

Based on my testing and the following note from Aaron Rowand (Cisco Expert), when the authentication fails TWICE no matter the DETECTION INTERVAL you have configured, the MAC address is added to the suppression list so any AUTHC request is rejected.

Detection Interval will flag misbehaving supplicants when they fail authentication more than once per interval.

BTW, looks like this behavior only applies to MAB AUTHC because I tried on PEAP using AD valid credentials and nothing happened with the MAC of the device failing the authentication (only I locked the AD acct after multiple wrong passwords). More testing in progress.

thanks

hslai · ‎09-20-2016

1 minutes is the minimal value for the detection interval. Thus, an endpoint will get flagged as misbehaving in case 2+ consecutive failures within a minute. If failing only once every few minutes while the detection interval sets to 1 minute, then all the auth failures will be shown in M&T.