Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Devrat Kamath
Cisco Employee

ISE 2.3 Anomalous Endpoint Detection

Hi Experts,

Referring to an older discussion:

It's mentioned that detection will work based on dhcp class id change and endpoint ID group change.

There is a customer facing document mentioning 4 parameters:

Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2 - Cisco

The information is a little conflicting and I just wanted clarification on what conditions will anomalous endpoint detection trigger?  We know that detection based on dhcp-class-id works.  If the other parameters mentioned are incorrect or not considered for detection, i will get the external document edited to reflect the current status of the feature:

  1. NAS-Port-Type - Determines if the access method of this endpoint has changed. For example, if the same MAC address that connected via Wired Dot1x has been used for Wireless Dot1x and visa-versa.
  2. DHCP Class ID - Determines whether the type of client/vendor of endpoint has changed.
  3. Operating System - Significant OS changes such as Windows to Apple iOS.
  4. Endpoint Policy - Significant profile changes. For example, a change from Phone or Printer to PC.



Accepted Solutions
Cisco Employee

(3) OS is not a direct attribute used in Anomalous Behavior Detection (ABD) Phase 1. It might be implied from 2 and 4.

View solution in original post

Cisco Employee

(3) OS is not a direct attribute used in Anomalous Behavior Detection (ABD) Phase 1. It might be implied from 2 and 4.

Thanks Hsing, that makes sense.  I spoke to Hariprasad over Jabber and he mentioned as of now the feature requires DHCP-Class-ID to detect the change.  In most cases where i speak to customers, we don't expect that a spoofed device will request a DHCP IP, it uses a static IP and spoofs the MAC address. The RADIUS probe MAC OUI won't change and because of lack of other attributes, an OS change or re-profile doesn't trigger and the anomalous detection stays dormant.  What are our mandatory conditions for the anomalous detection to trigger is what I'm trying to figure out.

See Re: Anomalous client detection behaviour where this topic is covered and specific conditions spelled out.  The following TZ article has since been updated as well to more clearly spell out current logic as of ISE 2.3.…


Is there an article for public viewing?

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube