Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2911
Views
18
Helpful
4
Replies

ISE 2.3 Anomalous Endpoint Detection

Go to solution
Devrat Kamath
Cisco Employee
Cisco Employee

‎10-23-2017 12:53 PM

Hi Experts,

Referring to an older discussion: https://cisco.jiveon.com/message/415834?commentID=415834#comment-415834

It's mentioned that detection will work based on dhcp class id change and endpoint ID group change.

There is a customer facing document mentioning 4 parameters:

Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2 - Cisco

The information is a little conflicting and I just wanted clarification on what conditions will anomalous endpoint detection trigger?  We know that detection based on dhcp-class-id works.  If the other parameters mentioned are incorrect or not considered for detection, i will get the external document edited to reflect the current status of the feature:

  1. NAS-Port-Type - Determines if the access method of this endpoint has changed. For example, if the same MAC address that connected via Wired Dot1x has been used for Wireless Dot1x and visa-versa.
  2. DHCP Class ID - Determines whether the type of client/vendor of endpoint has changed.
  3. Operating System - Significant OS changes such as Windows to Apple iOS.
  4. Endpoint Policy - Significant profile changes. For example, a change from Phone or Printer to PC.

Thanks!

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-23-2017 09:33 PM

(3) OS is not a direct attribute used in Anomalous Behavior Detection (ABD) Phase 1. It might be implied from 2 and 4.

View solution in original post

4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-23-2017 09:33 PM

(3) OS is not a direct attribute used in Anomalous Behavior Detection (ABD) Phase 1. It might be implied from 2 and 4.

Go to solution
Devrat Kamath
Cisco Employee
Cisco Employee
In response to hslai

‎10-26-2017 12:19 PM

Thanks Hsing, that makes sense.  I spoke to Hariprasad over Jabber and he mentioned as of now the feature requires DHCP-Class-ID to detect the change.  In most cases where i speak to customers, we don't expect that a spoofed device will request a DHCP IP, it uses a static IP and spoofs the MAC address. The RADIUS probe MAC OUI won't change and because of lack of other attributes, an OS change or re-profile doesn't trigger and the anomalous detection stays dormant.  What are our mandatory conditions for the anomalous detection to trigger is what I'm trying to figure out.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Devrat Kamath

‎12-15-2017 04:16 PM

See Re: Anomalous client detection behaviour where this topic is covered and specific conditions spelled out.  The following TZ article has since been updated as well to more clearly spell out current logic as of ISE 2.3.

https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/Configure-Anomalous-Endpoint-Detection-and-Enforcement-on-ISE…

Craig

0 Helpful

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to Craig Hyps

‎08-08-2019 11:03 AM

Is there an article for public viewing?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents