Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1389
Views
25
Helpful
3
Replies

Why does anomalous behaviour triggered when EPoint LastActiv is change

MikhailDemekhov96072
Level 1
Level 1

‎09-15-2021 02:03 AM

We have ISE 2.7 with patch4.

Some endpoints are defined by ISE as "AnomalousBehaviour true"

But I don't understand why ISE triggered for these endpoints.

I found this via the show logging application profiler.log

 

Endpoint LastActivity is null/empty. Updating it with updatetime
MAC: XX:XX:XX:XX:XX:XX Significant attribue: AnomalousBehaviour new value: true old value: null

 

How to resolve it?

 

3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎09-15-2021 03:20 AM

Hi,

This is triggered by one of the following conditions (these can be viewed
from profiler.log).


1. NAS-Port-Type - Determines if the access method of this endpoint has
changed. For example, if the same MAC address that connected via Wired
Dot1x is used for Wireless Dot1x and visa-versa.

2. DHCP Class ID - Determines whether the type of client/vendor of
endpoint has changed. This only applies when DHCP class ID attribute is
populated with a certain value and is then changed to another value. If an
endpoint is configured with a static IP, the DHCP class ID attribute will
not be populated on ISE. Later on, if another device spoofs the MAC address
and uses DHCP, the Class ID will change from an empty value to a specific
string. This will not trigger Anomouls Behaviour detection.

3. Endpoint Policy - A change in endpoint profile from Printer or IP
phone to Workstation.


See this doc for more information and how to disable it.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html

**** please remember to rate useful posts

MikhailDemekhov96072
Level 1
Level 1
In response to Mohammed al Baqari

‎09-15-2021 07:00 AM

Thank for your reply!

But I could not find change for these AttrName in the profiler.log

I found:
Significant attribute change detected, persisting EP: D0:BF:9C:33:05:0B

:D0:BF:9C:33:05:0B:c675b270-154d-11ec-a66d-02422d8e8bc0::- Endpoint LastActivity is null/empty. Updating it with updatetime
com.cisco.profiler.im.EndPoint -:D0:BF:9C:33:05:0B:c675b270-154d-11ec-a66d-02422d8e8bc0::- MAC: D0:BF:9C:33:05:0B Significant attribue: AnomalousBehaviour new value: true old value: null

 

What could be the reasons for this behavior?

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to MikhailDemekhov96072

‎10-24-2021 10:16 AM

Hi Mikhail

i have similar problem with some  endpoints in one account. so far it looked like endpoint was cycling DHCP procedure from wrong VLAN. interesting is it was able to obtain IP-addressing (every time new IP or in cycle) whilst it shouldnt. i'm still in investigation process (DHCP-relays & DHCP-servers r out of my mgmt authority) but i'm pretty sure the change of addressing enforces accounting request turned into misconfigured NAD detected alert on ISE.

Customers Also Viewed These Support Documents