Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
5
Helpful
8
Replies

Cisco ISE 2.2 Anamolous Detection and Redirect

Sp@wn
Level 1
Level 1

‎01-31-2019 05:37 AM - edited ‎03-11-2019 01:54 AM

Hello,

 

I enabled Anamolous Detection on ISE 2.2 patch 10. Also I create an redirection url to explain the stuation to the client and I used in a exceptions rule. However, when the user is detected by the anomalous detection, the redirection does not work.

Redirect ACL on WLC is as follows;

Redirect acl.JPG

Exeptions Rule is as follows;

Exceptions Rule.JPG

Redirect Authz profile is as follows;

Redirect Authz Rule.JPG

Portal Settings is as follows;

(Options other than the Portal Settings are unchecked)

Portal settings.JPG

Is there any miss configuration here?

 

Volkan Turan

0 Helpful
8 Replies 8

Arne Bier
VIP
VIP

‎01-31-2019 01:50 PM

Looks alright to me so far.  Very similar to a Guest Portal redirection ACL on the Cisco WLC. 

It might be that the client is unable to resolve the FQDN of the ISE node.  Is the client able to ping the PSN?

Do a nslookup on the client to see what happens when you try to resolve the FQDN  (https://ip:port) - that means you're not using a static FQDN on the portal. Hence, ISE substitutes the FQDN of the PSN that sent the redirect.  e.g. https://ise01.net.local:8443 ) - if client cannot resolve ise01.net.local then it won't establish a TCP connection to ISE portal.

Sp@wn
Level 1
Level 1
In response to Arne Bier

‎02-01-2019 07:54 AM

Hi Arne,

 

When I check live logs on ISE, Anomalous Detected client seems to have received an ip address. but when I check on client side client seems to had not received an ip. And also I want to know why this client detected as Anomalous. For this reason I checked the profiling logs. But I saw only "Attribute:AnomalousBehaviour value:true". Is there any other logs to find an explanation?

 

Regards,

Volkan Turan

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to Sp@wn

‎02-16-2019 02:32 PM

Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2 > Background Information has the info how it working currently.

If you want to check ISE debug logs, then enable DEBUG on profiler and check profiler.log files.

 

0 Helpful

ajc
Level 7
Level 7

‎01-31-2019 01:54 PM

Do you have policy nodes OR the Primary/Sec Admin Nodes are also running Policy Services?. Usually the portals configured on the PRIMARY Admin Node are replicated into the PSN's which are responsible for the Authc/Authz Process (including redirect to HotSpot Portal Page).

0 Helpful

Sp@wn
Level 1
Level 1
In response to ajc

‎02-01-2019 07:58 AM

Hi ajc,

We have 2 node as PRIADM,PRIMON / SECADM,SECMON. Admin Nodes are also running Policy Services.

Regards,
Volkan Turan
0 Helpful

ajc
Level 7
Level 7
In response to Sp@wn

‎02-01-2019 08:23 AM - edited ‎02-01-2019 08:25 AM

Do you have the FQDN entry for each PSN in your DNS Server. I would say yes because otherwise the deployment would not have been created but confirm that. I mean:

 

ise01.domain.com (full FQDN) for Primary ADM/MNT/PSN

ise02.domain.com (full FQDN) for Secondary ADM/MNT/PSN

 

 

 

0 Helpful

Sp@wn
Level 1
Level 1
In response to ajc

‎02-01-2019 09:45 AM

We have dns entries. But I think we need to solve client ip issue first.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to Sp@wn

‎02-16-2019 02:33 PM

I agree with you to resolve DHCP IP assignment is important. You may, however, temporarily use a static IP to check other connectivity issues.

0 Helpful
Customers Also Viewed These Support Documents