cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
496
Views
5
Helpful
4
Replies

Clear Anomalous Behaviour

BrianPersaud
Beginner
Beginner

Hi All

 

I'm running ISE 2.4 Patch 10.  Besides deleting the mac address, is there another way to clear Anomalous Behaviour for the device?

 

Thanks

 

Brian Persaud

1 Accepted Solution

Accepted Solutions

Colby LeMaire
Collaborator
Collaborator

There is no way that I am aware of other than deleting the endpoint.  From context visibility, you can export all endpoints to a CSV file.  Massage the CSV file back into the import format.  Delete the anomalous endpoints from ISE.  Import the CSV file to get the endpoints back.  You will lose profiling data but at least you can ensure that you don't lose any static assignments.  It would be nice if they put an option in to reset the Anomalous Behavior attribute.

View solution in original post

4 Replies 4

Colby LeMaire
Collaborator
Collaborator

There is no way that I am aware of other than deleting the endpoint.  From context visibility, you can export all endpoints to a CSV file.  Massage the CSV file back into the import format.  Delete the anomalous endpoints from ISE.  Import the CSV file to get the endpoints back.  You will lose profiling data but at least you can ensure that you don't lose any static assignments.  It would be nice if they put an option in to reset the Anomalous Behavior attribute.

Hi Colby thanks for the info and for the tip as well. Just out of curiosity, how often do you use anomalous behaviour for deployments. For sure I know there is major security benefits with it but it is worth it operationally?

Thanks

I think it can be an indicator that something may not be right and worth digging into a particular endpoint to make sure it is a real issue or not.  But I wouldn't trust it since it only fires in specific situations such as moving from phone to PC or vice versa.  And it has a bug where it marks something anomalous when the DHCP Class Identifier changes.  But it is normal for a Windows PC to present multiple DHCP Class Identifiers depending on what applications are installed.  For example, the PC will send the normal MSFT-5.0 Class Identifier for the OS but then if Skype is installed, it will send another DHCP Class Identifier for Skype that looks like "MSFT-UC-Client".  Some applications use the DHCP Class Identifier to locate resources like SIP servers, proxy configuration files, etc.

So if your environment only shows one or two anomalous endpoints here and there, then certainly dive in and investigate those machines.  But don't automatically assume it is bad behavior.  If you are seeing hundreds or thousands of anomalous machines, then it is likely because of a particular application.

Thanks I will definitely dig in some more to get to the bottom of it.  I will start with the DHCP identifier since they are indeed doing Skype for business

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers