Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1375
Views
0
Helpful
5
Replies

ISE 1.2 Anomalous Client Detection

ahurtadove
Level 1
Level 1

‎10-14-2014 08:17 AM - edited ‎03-10-2019 10:06 PM

Hi Community!

 

ISE 1.2 with patch 8,9.

 

On MAB authentication with redirection I have clients that are suppressed by the RADIUS setting mentioned in the title. I have seen this post where suppression can be disabled, the thing is that it's not working at all.

 

Testing I have donde this 

 

1. Set the fields in Administration > System > Settings > Protocols > RADIUS to default values.

2. Retired MAC address from Endpoints in Administration > Identity Management > Identities > Endpoints.

3. Tried to connect with same device until 5434 Endpoint conducted several authentication attempts from same scenario error appears.

4. In the first test the attribute "IsEndpointInRejectMode" was set to true, added the MAC in Disable Suppression > Result NOT ALLOWED

5. In the second test the attribute "IsEndpointInRejectMode" was set to false,  added the MAC in Disable Suppression > Result NOT ALLOWED

 

So none of these tests have been working at all.

 

Am I expecting something that cannot be achieved?

Why did it work before? Client states that after enabling dot1x it stopped working (We all know this is completely unrelated, unless bug)

 

Any thoughts?

Labels:
0 Helpful
5 Replies 5

jan.nielsen
Level 7
Level 7

‎10-14-2014 02:37 PM

Just to clarify, what are you trying to achieve ? is it just mab for central web-auth ? Why are they getting suppressed ?

Suppression is not something you are supposed to disable, you should find out why they are being suppressed, when you have either something that is failing with the same error multiple times, ISE stops responsing to the requests, if it's passed authentications multiple times, it will just stop logging them to avoid filling the logs with the same auth request multiple times. I don't see how a MAB requests could get suppressed, by anything other than incorrect authentication policies or just the regular successfull auth suppression, which is fine.

0 Helpful

ahurtadove
Level 1
Level 1
In response to jan.nielsen

‎10-14-2014 02:53 PM

We are having a MAB with CWA scenario, all users (wired, wireless) have to go through CWA to access network.

This implies that the SSID that users need to use to gain access is open, so if a new person arrives with a new device it needs to ask IT department for its MAC to be added to ISE. This is not always true and users try to connect with their phones/tablets without asking for permission and then get rejected because multiple attemps as stated before. Then when they notice they can't access the network they call and ask for their MAC to be added, but with the rejection interval in 60 minutes the user still needs to wait an hour to gain access even though disable suppression is configured for that MAC.

MAB is still using RADIUS so that's why the client is suppressed.

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎10-14-2014 10:54 PM

Can you confirm that you are experiencing the following:

In your stepw #4 & 5 - Clients are being blocked network access even though suppression is disabled? If yes, can you confirm that suppression is disabled globally or only filtered via the "Collection Filters?"

In your step #2 - By retiring do you mean deleting it from the database? If so, have you waited a couple of min and checked the DB again to make sure that the MAC address did not re-populate due to profiling info?

Also, have you checked your "Client Exclusion" policies in your WLC and make sure that the blocking/exclusion is not happening there. I doubt since you would see that log hit in ISE but still something to check. 

Can you provide screen shots of the detailed authentication window for both your step #4 and step #5

 

Thank you for rating helpful posts! 

 

0 Helpful

ahurtadove
Level 1
Level 1
In response to nspasov

‎10-16-2014 12:44 PM

Clients are being blocked even though suppression is disabled. The suppression is disabled via Collection Filters. One case I've seen is that if the MAC is not in the database (manually added) and the suppression enable via collection filters the endpoint no longer triggers the IsEndpointInRejectMode flag, so for me that means suppression is working.

 

Yes, retiring is deleting the endpoint from the database and for this particular client I have "disabled" profiling(I mean no RADIUS, DHCP or any checkboxes in deployment tab) .

I have not checked client exclusion in WLC but that would be a nice place to look next time.

It's difficult for me to post the screens at the moment, but basically is the same as when the 5434 error shows. One with the flag set to true (IsEndpointInRejectMode) and the other set to false.

 

For me it's something about timing and the way the client sees that this worked immediately before.  

0 Helpful

manjeets
Level 3
Level 3

‎11-23-2014 11:26 PM

You can change by manipulating the interval.  There have been discussions on changing in past but no commits that I am aware of.  Focus of feature is to identify users having login issues and support log suppression, not to limit # of consecutive failed logins.  However, if enable “Reject Requests After Detection”, then that will prevent successive auth attempts from that endpoint for the quarantine interval. 

 

For what you are asking, you should move to the NAD and leverage client exclusion, for example, on the WLC.  Note that you may risk productivity of valid users that fat-finger their credentials or having issues, so need to be prepared for increase in Help Desk calls if get more aggressive on client exclusions.

0 Helpful
Customers Also Viewed These Support Documents