11-01-2018 05:13 AM - edited 03-11-2019 01:51 AM
Hello everyone,
Many of Windows workstation are detected as Anomalous in ISE 2.3 . Even though the desktop of corporate desktop without any change . As per the log endpoints detected as anomalous because of the DHCP class identifier change as in the case below.
2018-09-18 03:20:39,272 INFO [MACSpoofingEventHandler-52-thread-1][] com.cisco.profiler.api.MACSpoofingManager -:ProfilerCollection:- Anomalous Behaviour Detected: 10:60:4B:77:98:61 AttrName: dhcp-class-identifier Old Value: MSFT 5.0 New Value: MS-UC-Client
The attribute values “MSFT” and “MS-UC-Client” are both part of “Microsoft-Workstation” profiling policy rules. I’m unsure why ISE is finding the new value after a while – this change in attribute is causing the anomalous detection.
Can anyone help with the resolution or workaround for the same.
Solved! Go to Solution.
11-03-2018 12:24 PM
11-01-2018 06:22 AM
11-03-2018 12:24 PM
11-03-2018 01:35 PM
See CSCvh24575 (Ability to filter or ignore certain attributes for Anomalous Client detection)
11-07-2018 01:56 PM
11-07-2018 02:05 PM
Depending on which version/patch combination you are on, this bug also creates false positives, it is not just 4500's as the description would suggest. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk10674
11-08-2018 12:05 PM
My take on enabling Anomalous Detection also didn't work correctly, I engaged TAC and it turned into a dead end. I'm also seeing lot of false detections when we turn this on, so I cannot recommend this for enforcement, but rather as an indication for things to check.
I believe that a stronger profiling policy along with proper network design is more effective, if utilizing Dot1x is not possible.
11-12-2018 11:33 AM
11-12-2018 01:43 PM
I read the original post again and they already had this in their Workstation configs... They started showing up again in my list as well after clearing it and trying the "workaround".
The issue remains the DHCP identifier changes therefor it's Anamolous as that alone triggers it. Even if you add the UC agent string to and existing or new profile. :(
What was TAC's response?
09-18-2019 06:47 AM
Hello
Did you get this sorted out ? what was the solution ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide