Many of Windows workstation are detected as Anomalous in ISE 2.3 . Even though the desktop of corporate desktop without any change . As per the log endpoints detected as anomalous because of the DHCP class identifier change as in the case below.
2018-09-18 03:20:39,272 INFO [MACSpoofingEventHandler-52-thread-1] com.cisco.profiler.api.MACSpoofingManager -:ProfilerCollection:- Anomalous Behaviour Detected: 10:60:4B:77:98:61 AttrName: dhcp-class-identifier Old Value: MSFT 5.0 New Value: MS-UC-Client
The attribute values “MSFT” and “MS-UC-Client” are both part of “Microsoft-Workstation” profiling policy rules. I’m unsure why ISE is finding the new value after a while – this change in attribute is causing the anomalous detection.
Can anyone help with the resolution or workaround for the same.
Solved! Go to Solution.
Depending on which version/patch combination you are on, this bug also creates false positives, it is not just 4500's as the description would suggest. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk10674
My take on enabling Anomalous Detection also didn't work correctly, I engaged TAC and it turned into a dead end. I'm also seeing lot of false detections when we turn this on, so I cannot recommend this for enforcement, but rather as an indication for things to check.
I believe that a stronger profiling policy along with proper network design is more effective, if utilizing Dot1x is not possible.
I read the original post again and they already had this in their Workstation configs... They started showing up again in my list as well after clearing it and trying the "workaround".
The issue remains the DHCP identifier changes therefor it's Anamolous as that alone triggers it. Even if you add the UC agent string to and existing or new profile. :(
What was TAC's response?