So what command needs to be running on the switch interface?

@Mohammed al Baqari 

On our production network we have Anomalous Behavior Detection enabled, but Enforcement is disabled.

What would be the impact if I enable the Enforcement and Change CoA type to Re Auth instead of No CoA.

Also,

What is the best practice for profiling an endpoint?

We generally try to avoid just using OUI or MAC address alone?

Is it wise to use DHCP Parameter Request List or NMAP Port Scan Result?

Also why two printer with same OUI/Different Model Provide different attributes?

I have some ricoh printer which provide precise details like 

Where some does not provide any concrete information

They provide dhcp-parameter-request-list which is not necessary indication if its printer devices

I retested after enabling Enable Anomalous Behaviour Detection and Enable Anomalous Behaviour Enforcement along with the appropriate authorization policy.  I set the laptop to use the mac address as the IP phone.  It worked as expected to deny the laptop from accessing the network.

Hi Brian,

How did you got it to work? Did the spoofing device advertise a different TLV value or etc? I am testing it but ISE did not re-profile even when I enable anomalous detection and enforcement. I spoke to TAC, TAC says that because the spoofing device did not send TLV value, ISE did not trigger re-profiling.. To me, isn't that consider a change in the profile coz there is no TLV for the same device that was earlier profiled successfully using OUI + TLV? A simple notebook can easily spoof the MAC address without even installing any 3rd party tools. 

Hi Here are the configs I used on the switch for 802.1x.  It is possible that it is using device sensor for your question about TLV.  I tested on a 3650 and 3850 switches with  IOS 16.6.6 with ISE 2.4 Patch 9.  Note I am also doing SNMP probe, a local port ACL and CoA.

aaa authentication login default group radius local
aaa authentication enable default enable group radius
aaa authentication dot1x default group radius
aaa authorization exec default local group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client 10.x.x.x server-key 7 xxxxxxxxxxxxxx
server-key 7 xxxxxxxxxxxxx
aaa session-id common
dot1x system-auth-control
dot1x critical eapol
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius server ISE01
address ipv4 10.x.x.x auth-port 1812 acct-port 1813
key 7 xxxxxxxxxxxxx

snmp-server group SNMP_GROUP v3 priv
snmp-server user SNMP_USER SNMP_GROUP v3 auth sha xxxxxxxxxx priv aes 256 xxxxxxxxxx
snmp-server host 10.x.x.x version 3 priv SNMP_USER
snmp-server enable traps snmp linkdown linkup
device-sensor accounting
device-sensor notify all-changes
authentication mac-move permit
access-session template monitor

ip access-list extended PORT-ACL-DEFAULT
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit udp any any eq tftp
permit tcp any host 10.x.x.x eq 8443
deny ip any any

interface gi 1/0/1

description XXXXX
switchport access vlan XXXXX
switchport mode access
switchport voice vlan xx
ip access-group PORT-ACL-DEFAULT in
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

ISE will re-profile only if new parameters are received.  So if you spoof a MAC and you don't send anything else, ISE has no new information to re-profile with.  Absence of information is not enough to trigger ISE to profile it again.

Be careful with Anomalous Detection and Enforcement.  It has issues and there are some bugs filed on it.  For example, a Windows PC running Skype will send a DHCP message with a class identifier of the OS and will also send DHCP messages with a class identifier of MS-UC-Client.  Since the class identifier changes, ISE marks it as an anomalous endpoint.  One of my customers had every Windows client marked as anomalous.  With enforcement turned on, that would deny them all.

It is normal for a client to send multiple DHCP class identifiers.  That's how browsers do automatic proxy detection, software phones detect their SIP servers, etc.  ISE needs to account for that.  The DHCP RFC clearly explains the use of different application-specific class identifiers.

Thanks @Colby LeMaire  good to know about the issues with Anomalous Detection and Enforcement.  I did have the DHCP identifier issue on profiling Polycom phones.  The packet capture showed they were sending the Polycom identifier then the MS-UC-Client for skype for business.  Ended up doing a custom condition for this.  I will monitor the windows PC's to see if this issue occurs for skype for business client. 

On our production network we have Anomalous Behavior Detection enabled, but Enforcement is disabled.

What would be the impact if I enable the Enforcement as well and Change CoA type to Re Auth instead of No CoA.

Also,

What is the best practice for profiling an endpoint?

We generally try to avoid just using OUI or MAC address alone?

Is it wise to use DHCP Parameter Request List or NMAP Port Scan Result?