topic Re: MAC addresses being removed from identity group in Network Access Control

MAC addresses being removed from identity group

jacksonben — Tue, 10 Sep 2024 13:24:25 GMT

ISE 3.2 Patch 6

We are having a recurring issue that is really becoming a problem now with some MAC addresses dropping their identity group after being placed into one.

Example:

1) Add MAC address to Identity group through Context Visibility -> Endpoints -> Select MAC address -> Edit -> tick Static Group Assignment and place into group

Context visibility Endpoints now shows the MAC address in the new group

2) Re-authenticate via Operations -> Live Sessions -> CoA Actions -> Session Reauthentication

3) Device re-authenticates correctly and hits the policy rule appropriate to that Identity group

4) Go back to Context Visibility -> Endpoints and refresh

MAC address now showing as "Unknown" even after successful authentication

5) Trigger re-authentication through CoA again and the device now hits the default policy rule

So many times we have just thought we made a mistake and forgot to import an address, so we add it this way, watch it successfully authenticate, and go away thinking we have sorted it only for it to fail the next re-authentication when the timer (12 hours) runs out. Mostly we think we just got something wrong but after much testing have proven it really is ISE losing the ID group assignment.

This problem does not occur on all MAC addresses, just some, but there is no rhyme or reason to which ones do this. Although I have noticed it seems to happen more on switchports with multiple MAC addresses on them such a ports with IP phones or ones where there is a 3rd party unmanaged switch on the other end like Netgear.

Patch 6 had a resolved caveat that we thought might fix this:

CSCwi60778

Endpoint Loses Static Identity Group Assignment after Reauthentication.

But sadly we are still hitting this problem.

Has anyone else experienced this? Is there some setting somewhere to prevent static identity group assignments from being overwritten at all?

We performed a reset of the Context Visibility database as well to no avail:

So before we raise a TAC case I'm hoping someone here might be able to assist and point out where we might be going wrong.

Thanks.

Re: MAC addresses being removed from identity group

MHM Cisco World — Sat, 14 Sep 2024 16:19:47 GMT

MHM

Re: MAC addresses being removed from identity group

jacksonben — Tue, 10 Sep 2024 14:37:08 GMT

Video showing the problem example above attached.

Re: MAC addresses being removed from identity group

jacksonben — Tue, 10 Sep 2024 14:43:34 GMT

Thanks MHM we have tried that but for this particular example we get a "Failed to update endpoint - concurrent error".

However even if that worked it is impractical to use the identity groups section to import hundreds of devices at once.

Re: MAC addresses being removed from identity group

essarahemi — Mon, 07 Oct 2024 09:03:33 GMT

Yes i am also having the same issue.

Re: MAC addresses being removed from identity group

jacksonben — Mon, 07 Oct 2024 13:01:14 GMT

We currently have this being investigated by TAC.

Re: MAC addresses being removed from identity group

MHM Cisco World — Mon, 07 Oct 2024 13:13:02 GMT

Can you please update us TAC solutions.

So thanks

MHM

Re: MAC addresses being removed from identity group

MSDOIT — Tue, 08 Oct 2024 21:58:24 GMT

Would love to know what they say - I'm having the same problem - and am about to upgrade to 3.3 Patch 3 - I'll let you know if that helps.

Re: MAC addresses being removed from identity group

jacksonben — Wed, 09 Oct 2024 10:43:44 GMT

We have heard nothing for two weeks now, I suspect this is quite a sticky problem for them. But it is crucial it is fixed for our particular deployment scenario.

Re: MAC addresses being removed from identity group

jacksonben — Mon, 14 Oct 2024 08:37:28 GMT

Patch 7 has been released on the 10th Oct which TAC have informed us should fix this problem. We will update this after approval from our change board.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/release_notes/b_ise_32_RN.html

Fingers crossed this does the trick!

Re: MAC addresses being removed from identity group

MSDOIT — Tue, 15 Oct 2024 11:41:11 GMT

I'm cleared to apply this tonight. I'll report back. Did they say anything about any of the other 3.x version e.g. 3.3 or 3.4?

Re: MAC addresses being removed from identity group

jacksonben — Tue, 15 Oct 2024 12:44:44 GMT

I'm afraid not, in fact I was given to understand that this issue was 3.2 specific and the bug tracker only lists 3.2p6

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk94725

The previous 3.2 patch 6 had what sounded like a similar resolved caveat as mentioned in the original post, which is also in the release notes for 3.3 patch 3 so that may hopefully resolve your issue.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/release_notes/b_ise_33_RN.html#resolved_caveats_33p3

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi60778

Re: MAC addresses being removed from identity group

Jorge Luis Covenas Chiroque — Mon, 02 Mar 2026 23:58:23 GMT

Hi all.

I have a Cisco ISE version 3.3.0.430 pathc 2, 4, 6, 7 and it is hitting the bug.

We have an authorization rule for static Identity Group. Some devices changed to Unknown or was profile (e.g as Samsung-Device).

Has anyone tried with 3.4?

Thanks.

Re: MAC addresses being removed from identity group

Jatin Katyal — Tue, 03 Mar 2026 02:57:38 GMT

Jorge,

CSCwi60778 : This defect has been addressed in ISE 3.3 Patch 3 and above.

Also, please note that manual or automated changes may have removed endpoints from the static Identity Group. Sometimes Database or synchronization issues could also cause loss of static group assignments. I would suggest you to check that as well.

If you plant to upgrade to version ISE 3.4, do apply the patch 3 or above.

Re: MAC addresses being removed from identity group

jacksonben — Tue, 03 Mar 2026 14:40:59 GMT

Hi Jorge,

We have seen several patches where Cisco claimed this had been fixed only to continue having the problem. However we have found that version 3.2 patch 9 released on Christmas Day 2025 has finally fixed the problem for us. Thank you Santa.

Appreciate you are on version 3.3 however I can see a patch 9 for 3.3 also released on 25/12/2025 which may have the same fixes in it. It is probably worth patching up to date and see if this helps you.

Regards