04-03-2018 05:19 AM
Our testing use cases included
1. client on wireless .1x(Android phone), Malicious user on wired MAB(windows 10 workstation)
2. client on wired MAB(cisco IP-phone), Malicious user on wired MAB(windows 10 workstation)
The case number 1 has succeeded, but for case 2, these are the following problems:
1-Anomalous behaviour is showing nothing.
2-Debug the endpoint is showing nothing.
3-The worksation (attacker) has been placed in the correct authenticatin and authorization policies( voice VLAN) but can't ping my gateway.
Regarding case 1, is it true that the real endpoint should be shown in Anomalous client detection behaviour page or the attacker endpoint.
Any documents or suggestions.
Solved! Go to Solution.
04-03-2018 07:03 AM
Please review Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2 - Cisco
It is important to understand if one of the matching criteria for Anomaly has been met. For example, changing from wireless to wired (or vice versa) is straight forward as this is captured as part of the RADIUS probe (enabled by default). To determine if there was a profile change or change in DHCP data requires that you validate the before and after profile assignment of the spoofed MAC, and/or the before and after profile details of the spoofed MAC. Since there is no change to the malicious user's data, only to the "real" MAC being spoofed, it is the latter which is flagged as Anomalous. It is the anomaly in attributes associated with the original MAC address.
Craig
04-03-2018 07:03 AM
Please review Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2 - Cisco
It is important to understand if one of the matching criteria for Anomaly has been met. For example, changing from wireless to wired (or vice versa) is straight forward as this is captured as part of the RADIUS probe (enabled by default). To determine if there was a profile change or change in DHCP data requires that you validate the before and after profile assignment of the spoofed MAC, and/or the before and after profile details of the spoofed MAC. Since there is no change to the malicious user's data, only to the "real" MAC being spoofed, it is the latter which is flagged as Anomalous. It is the anomaly in attributes associated with the original MAC address.
Craig
04-04-2018 02:11 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide