https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3683029#M496011 <P>Also, good to work with TAC to know the root cause and have a defect for tracking the issue.&nbsp;</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Nidhi</P> Tue, 07 Aug 2018 10:30:32 GMT Nidhi 2018-08-07T10:30:32Z https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3673452#M496009 <P>Running ISE 2.3 patch 2 the endpoint visibility data is not matching up with the current live logs.</P> <P>&nbsp;</P> <P>More specifically the attribute I am most concerned about at this time is the "<SPAN>AuthorizationPolicyMatchedRule" attribute is not matching the actual AuthZ policy&nbsp;that is being match when looking at the endpoint in the Live Logs or RADIUS authentication&nbsp;reports.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>I have also pulled the data using both ISEEAT and through the CLI with the same results.&nbsp;</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> Tue, 24 Jul 2018 16:45:41 GMT https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3673452#M496009 Cory Peterson 2018-07-24T16:45:41Z https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3681666#M496010 <P>I do not think this is part of the significant attributes so it might not always get updated in ISE profiler.</P> Mon, 06 Aug 2018 03:09:27 GMT https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3681666#M496010 hslai 2018-08-06T03:09:27Z https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3683029#M496011 <P>Also, good to work with TAC to know the root cause and have a defect for tracking the issue.&nbsp;</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Nidhi</P> Tue, 07 Aug 2018 10:30:32 GMT https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3683029#M496011 Nidhi 2018-08-07T10:30:32Z https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3683243#M496012 <P>There is already a bug for this:</P> <P>&nbsp;</P> <P><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb28481/?rfs=iqvred" target="_blank">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb28481/?rfs=iqvred</A></P> <P>&nbsp;</P> <P>I reported this in 2.1 and Hsing created a bug for me.&nbsp; The bug says fixed but this is still not working correctly.&nbsp; The biggest issue is we can't rely on Context Visibility to tell us the accurate last authorization profile the MAC address hit.&nbsp; This is crucial in the monitor mode phase.&nbsp;&nbsp;</P> Tue, 07 Aug 2018 13:54:58 GMT https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3683243#M496012 paul 2018-08-07T13:54:58Z https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3684229#M496013 <P>I'm been working with the business unit for over a year on what sounds like the same issue.&nbsp; If I understand the problem correctly there is a discontinuity between the context visibility database and a second database.&nbsp; In my opinion, there is only one way to manage the deployment, that is through the radius livelogs and live sessions screens.&nbsp; I feel your pain.</P> Wed, 08 Aug 2018 15:23:25 GMT https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3684229#M496013 cjwolff 2018-08-08T15:23:25Z https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3684256#M496014 Yes but the live logs aren't going to help you because you can't filter on Monitor-Catch-All authorization profile and expect that list to be accurate for things sitting at the Catch All rule. Especially with CPL where all devices are MAB'd all your valid 802.1x devices will hit the Catch All rule and look like issues when they are fine. The Live Session is better, but what if the device is currently on the network. Ideally, we need ISE to answer the question "What was the last authorization profile the MAC address hit". The Context Visibility is supposed to do that, but doesn't. I have a macro I wrote in 1.1 that I use to process RADIUS data and parse out the last hit authorization profile to give accurate Catch All hits, but that is only something I (and others at my company) use.<BR /><BR /><BR /> Wed, 08 Aug 2018 16:10:23 GMT https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3684256#M496014 paul 2018-08-08T16:10:23Z https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3684992#M496016 You're 100% on the mark. What you're describing is a fundamental failure in manageability of the enterprise through ISE. All we can keep doing is pushing the issue at all levels. Thu, 09 Aug 2018 14:30:31 GMT https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3684992#M496016 cjwolff 2018-08-09T14:30:31Z https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3685006#M496018 <P>This all revolves around the ability to find what endpoints are passing and which ones are not. Like many have stated above the difference in the two views is a huge pain point when doing monitor mode in preparation to move to enforcement mode.</P> <P>&nbsp;</P> <P>Like Paul has done, I have also had to write my own tool to parse the data.&nbsp;</P> <P>&nbsp;</P> <P>I have written a python script that takes two reports and merges them using data from both that I want to see to help with troubleshooting the devices failing for whatever reason. I use ISEEAT to pull a full endpoint report(this matches context visibility) and also a report for the last 7 days of radius authentications(this report is growing to almost an 1gig CSV file).</P> <P>&nbsp;</P> <P>All of the data is in the Context Visibility report but it is not accurate so we have to resort to custom scripts to meet this need that should be accurate. I have a case open on this also and it is definitely not corrected.&nbsp;</P> Thu, 09 Aug 2018 14:48:52 GMT https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3685006#M496018 Cory Peterson 2018-08-09T14:48:52Z https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3913097#M496021 <P>Was this fixed in the 2.4 release?</P> Fri, 23 Aug 2019 14:13:08 GMT https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3913097#M496021 Willieh13 2019-08-23T14:13:08Z https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3913139#M496023 <P>No this still hasn't been fixed.&nbsp; Context Visibility is still unreliable as ever for certain data like the authorization policy hit.</P> Fri, 23 Aug 2019 15:04:07 GMT https://community.cisco.com/t5/network-access-control/endpoint-visibility-authz-attribute-not-matching/m-p/3913139#M496023 paul 2019-08-23T15:04:07Z