Solved: ISE 2.3p1 anomalous behavior

wileong · ‎02-05-2018

Hi,

Testing anomalous behaviour with ISE 2.3p1 and facing unexpected behaviour.

I have a phone and a workstation being profiled correctly.

Phone - Android, Wireless MAB

Workstation - Microsoft-Workstation, Wired dot1x

To simulate anomalous, Workstation MAC address has been changed to match Android phone MAC.

Workstation has been correctly flag this as anomalous behaviour and being denied access. To our surprise, the Android phone is too being denied access even it is not being flagged. Is this expected?

This first line is Workstation, which correctly being denied, but the second line is the Android phone, where the MAC address being spoofed.

Thanks

Wing Churn

gbekmezi-DD · ‎02-05-2018

How would ISE differentiate between the “good” and “bad” endpoint if they both have the same mac address? It makes sense that they’d both be denied.

View solution in original post

gbekmezi-DD · ‎02-05-2018

How would ISE differentiate between the “good” and “bad” endpoint if they both have the same mac address? It makes sense that they’d both be denied.

Craig Hyps · ‎02-06-2018

And for this reason it is often best practice to flag endpoint and investigate rather than block/deny all by default, or else limit access to highly confidential data. It would also be possible to tag anomalous endpoints differently to support advanced inspection or monitoring without actually blocking access.