02-05-2018 07:19 AM
Hi,
Testing anomalous behaviour with ISE 2.3p1 and facing unexpected behaviour.
I have a phone and a workstation being profiled correctly.
Phone - Android, Wireless MAB
Workstation - Microsoft-Workstation, Wired dot1x
To simulate anomalous, Workstation MAC address has been changed to match Android phone MAC.
Workstation has been correctly flag this as anomalous behaviour and being denied access. To our surprise, the Android phone is too being denied access even it is not being flagged. Is this expected?
This first line is Workstation, which correctly being denied, but the second line is the Android phone, where the MAC address being spoofed.
Thanks
Wing Churn
Solved! Go to Solution.
02-05-2018 10:39 AM
How would ISE differentiate between the “good” and “bad” endpoint if they both have the same mac address? It makes sense that they’d both be denied.
02-05-2018 10:39 AM
How would ISE differentiate between the “good” and “bad” endpoint if they both have the same mac address? It makes sense that they’d both be denied.
02-06-2018 08:08 PM
And for this reason it is often best practice to flag endpoint and investigate rather than block/deny all by default, or else limit access to highly confidential data. It would also be possible to tag anomalous endpoints differently to support advanced inspection or monitoring without actually blocking access.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide