09-15-2021 02:03 AM
We have ISE 2.7 with patch4.
Some endpoints are defined by ISE as "AnomalousBehaviour true"
But I don't understand why ISE triggered for these endpoints.
I found this via the show logging application profiler.log
Endpoint LastActivity is null/empty. Updating it with updatetime
MAC: XX:XX:XX:XX:XX:XX Significant attribue: AnomalousBehaviour new value: true old value: null
How to resolve it?
09-15-2021 03:20 AM
09-15-2021 07:00 AM
Thank for your reply!
But I could not find change for these AttrName in the profiler.log
I found:
Significant attribute change detected, persisting EP: D0:BF:9C:33:05:0B
:D0:BF:9C:33:05:0B:c675b270-154d-11ec-a66d-02422d8e8bc0::- Endpoint LastActivity is null/empty. Updating it with updatetime
com.cisco.profiler.im.EndPoint -:D0:BF:9C:33:05:0B:c675b270-154d-11ec-a66d-02422d8e8bc0::- MAC: D0:BF:9C:33:05:0B Significant attribue: AnomalousBehaviour new value: true old value: null
What could be the reasons for this behavior?
10-24-2021 10:16 AM
Hi Mikhail
i have similar problem with some endpoints in one account. so far it looked like endpoint was cycling DHCP procedure from wrong VLAN. interesting is it was able to obtain IP-addressing (every time new IP or in cycle) whilst it shouldnt. i'm still in investigation process (DHCP-relays & DHCP-servers r out of my mgmt authority) but i'm pretty sure the change of addressing enforces accounting request turned into misconfigured NAD detected alert on ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide