topic Static group assignment and Identity group assignment changing by themselves in Network Access Control

Static group assignment and Identity group assignment changing by themselves

KeelynHenning0941 — Thu, 16 Jul 2020 13:22:46 GMT

Under a certain block of end points with ISE, we currently have Static Group Assignment checked and a specific Identity group assignment set for a large block of devices withing our ISE environment. High School Chromebooks that have not had much activity on the network recently. Randomly the Static Group Assignment will become unchecked and the Identity group assignment with change to "workstation".

We cannot find the cause of why the end points are changing themselves and looking for input from the community.

Re: Static group assignment and Identity group assignment changing by themselves

Damien Miller — Thu, 16 Jul 2020 17:56:09 GMT

The most common reason this happens is that the endpoints are being purged by an endpoint purge rule. By default they typically won't be, but if someone set up a rule based on inactivity days, then there is no filter for static identity group = true. Check on those here, https://<ise admin ip>/admin/#administration/administration_identitymanagement/administration_identitymanagement_generalsettings/endpointPurge

In the past, there was also a profiling bug with DHCP helpers being sent at the same time to two different PSNs. That would cause the endpoint to be reset and lose its static mapping, however that was fixed at least a year and a half ago or more though.

Re: Static group assignment and Identity group assignment changing by themselves

KeelynHenning0941 — Fri, 17 Jul 2020 14:22:34 GMT

Thank you for your reply!

I already looked at this before but took another look for good measure. There were two Purge rules created, one of which could have possibility contained these devices at one time but when we checked there were no EndPoints listed under the Identity Group associated with the condition. To elevate this being the issue, we deleted both the Purge rule and the Identity Group associated as they were not needed anyway.

We ran another test that I believe is part of the problem but I still need to continue troubleshoot to see if it is related. This issue has been occurring with Chromebooks for a school district. We took a random Chromebook, looked over it's EndPoint settings, it was currently configured with the correct Policy and Identity Group and we added it to the guest network. After the device was on the Guest network, the static assignment went away, the Policy assignment changed, the Static Group assignment was still checked, and the Identity Group Assignment had changed.

We checked the EndPoint Identity Group EndPoints for the group this was changed to and we could see the EndPoint Profile listed and they were all marked Static Group Assignment = false.

I think this issue lays somewhere in the Profiler Policy so that is where I am with troubleshooting now.