Cisco ISE Profiling

munish.dhiman1 · ‎05-31-2019

Hi ,

I am trying to understand how ISE will actively does the flowing.

Ability to Detect Anomalous Behavior of Endpoints
Cisco ISE protects your network from the illegitimate use of a MAC address by detecting the endpoints involved in MAC address spoofing and allows you to restrict the permission of the suspicious endpoints. The following options are available in the profiler configuration page:

Enable Anomalous Behavior Detection—Cisco ISE probes for data and checks for any contradictions to the existing data. If any contradictions are found, the AnomalousBehavior attribute is set to true and the corresponding endpoints are displayed in the Context Visibility page.
Enable Anomalous Behavior Enforcement—A CoA is issued if anomalous behavior is detected. The suspicious endpoints are reauthorized based on the authorization rules configured in the Profiler Configuration page.

Is any connect required for active anomaly detection. Because once a device is profiled and categorized, ISE will not re-categorized that device again untill removed from the database.

Or

ISE will always profile the device whenever it receive an authentication request from the device.

Regards,

MD

Mike.Cifelli · ‎05-31-2019

So you should not need Anyconnect as it is not required for anomalous detection. One thing I would be cautious of is if you enable anomalous detection it is an all or nothing thing. Meaning you cannot tweak what it will use. I have asked if it has been road mapped, but have yet to hear. By default it will use the following to determine changes: Endpoint Policy DHCP Class ID NAS-Port-Type
Also, ISE will re-categorize devices if you deploy profiles with higher MCFs and devices hit and match on those instead of a Cisco out of the box defined profile.
Check this out: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html
HTH!