10-07-2019 08:40 AM
Hi All
I'm running ISE 2.4 Patch 10. Besides deleting the mac address, is there another way to clear Anomalous Behaviour for the device?
Thanks
Brian Persaud
Solved! Go to Solution.
10-07-2019 01:07 PM
There is no way that I am aware of other than deleting the endpoint. From context visibility, you can export all endpoints to a CSV file. Massage the CSV file back into the import format. Delete the anomalous endpoints from ISE. Import the CSV file to get the endpoints back. You will lose profiling data but at least you can ensure that you don't lose any static assignments. It would be nice if they put an option in to reset the Anomalous Behavior attribute.
10-07-2019 01:07 PM
There is no way that I am aware of other than deleting the endpoint. From context visibility, you can export all endpoints to a CSV file. Massage the CSV file back into the import format. Delete the anomalous endpoints from ISE. Import the CSV file to get the endpoints back. You will lose profiling data but at least you can ensure that you don't lose any static assignments. It would be nice if they put an option in to reset the Anomalous Behavior attribute.
10-08-2019 05:10 AM
10-08-2019 05:56 AM
I think it can be an indicator that something may not be right and worth digging into a particular endpoint to make sure it is a real issue or not. But I wouldn't trust it since it only fires in specific situations such as moving from phone to PC or vice versa. And it has a bug where it marks something anomalous when the DHCP Class Identifier changes. But it is normal for a Windows PC to present multiple DHCP Class Identifiers depending on what applications are installed. For example, the PC will send the normal MSFT-5.0 Class Identifier for the OS but then if Skype is installed, it will send another DHCP Class Identifier for Skype that looks like "MSFT-UC-Client". Some applications use the DHCP Class Identifier to locate resources like SIP servers, proxy configuration files, etc.
So if your environment only shows one or two anomalous endpoints here and there, then certainly dive in and investigate those machines. But don't automatically assume it is bad behavior. If you are seeing hundreds or thousands of anomalous machines, then it is likely because of a particular application.
10-08-2019 01:16 PM
Thanks I will definitely dig in some more to get to the bottom of it. I will start with the DHCP identifier since they are indeed doing Skype for business
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide