Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
263
Views
1
Helpful
3
Replies

Enable anomalous behavior enforcement on ISE 3.1

Da ICS16
Level 1
Level 1

‎05-06-2024 02:52 AM - last edited on ‎05-06-2024 04:34 AM by Cisco Employee

Dear Community,

We use ISE 3.1 P6

we notice there are some anomalous behavior endpoints increase day by day.

There are some endpoint not connected long time, some PCs hit Default policy, some PCs are status connecting including MAB profiling.

Is there any impact with ISE performance and current PCs and all MAB profiling if enable feature Enforcement?

Kindly share goof practice and recommend to enhance more visibility and under managed from ISE.

Thanks, 

 

0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎05-06-2024 03:58 PM

I would not enable Anomaly Enforcement until I knew exactly that these are not false positives. I have never used this feature and quite frankly, I don't see it being very useful, since ISE doesn't give us any nerd knobs to tune the logic of what is considered to be "anomalous". It's not flexible. When I see counters increasing, I always try to find the reason WHY.  And so far I have never had that "ah ha" moment where I realise there is a problem in the network. In my experience so far, ISE doesn't tell you anything useful - it will say that a profile changed from Windows 10 to Windows 10. Yeah right - thanks.

The only time I have seen anomaly detection catch a real anomaly, was with one brand of desk phone, that for some stupid reason, executed DHCP twice during boot up. First time around, it boots up as a Linux OS, and then once it's semi-booted up, another IP stack initialises, and presents itself as an MSFT (Microsoft) - but this is expected normal for this vendor product.  

Have you looked into any of your own anomalies so far, and if so, what have you found?

Da ICS16
Level 1
Level 1
In response to Arne Bier

‎05-30-2024 09:36 PM

Dear @Arne Bier ,

We tried workaround by remove some offline endpoint like printer from context visibility.

Next few days it will come back flag as Anomalous Behavior. That printer we created as profiling based on OUI mac address.

Thanks,

 

0 Helpful

Arne Bier
VIP
VIP

‎05-30-2024 09:56 PM

Not sure if this is your problem, but it's not uncommon for older ISE releases to have bugs - ISE 3.1 is getting a bit "old" already. Might be worth upgrading.  Have a look through the ISE Dashboard (click on Anomalous counter) to see if you can spot the reason why the endpoint was flagged as Anomalous. I doesn't tell you there and then - might need to dig around the Operations Reports too. Operations > Reports > Endpoints and Users > Profiled Endpoint Summary

Locate the MAC address there and click on "Raw Log"

 

0 Helpful
Customers Also Viewed These Support Documents