Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2241
Views
11
Helpful
1
Replies

How to tell what triggered Anomalous Behaviour / Anomaly Detection ?

Arne Bier
VIP
VIP

‎09-02-2021 08:26 PM

Hello 

 

ISE 3.0 patch 3 - enabled Anomaly detection and I am seeing a growing list of Windows 10 workstations in the Anomalous Endpoints. These endpoints have never authenticated via ISE and the endpoints have been learned via DHCP profiling. This is from Cisco switches

 

I deleted a whole bunch of endpoints today and the list is growing again - is there a way to easily see WHY ISE considers this endpoint anomalous?  I think there is a log somewhere, but that seems like a brutal approach.  

 

I have not enable enforcement.

 

anomaly.png

 

1 person had this problem
0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎09-02-2021 08:42 PM

update

 

DHCP Class Identifier is the cause. But I don't know why a Windows 10 machine would send out two different DHCP Discovery messages

 

anomaly2.png

 

I found this via the show logging application profiler.log

 

Anyone else find Anomaly Detection  useful?

Customers Also Viewed These Support Documents