https://community.cisco.com/t5/network-access-control/nested-endpoint-identity-groups-what-for/m-p/5295684#M596602 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/17232">@Marcelo Morais</a>&nbsp;that's a great workaround - your naming conventions allows me to create the hierarchy in "Administration / Identity Management / Endpoint Identity Groups" screen to collapse the Groups under their parents. I like that! Thanks</P> Mon, 02 Jun 2025 05:36:58 GMT Arne Bier 2025-06-02T05:36:58Z https://community.cisco.com/t5/network-access-control/nested-endpoint-identity-groups-what-for/m-p/5295676#M596600 <P>Hello,</P> <P>I like the idea of creating EIG (Endpoint Identity Groups) in a hierarchical fashion, but I have run into a limitation - wondering if there is a solution for this.</P> <P>If you create an EIG Hierarchy as follows:</P> <PRE>Parent 1 Parent 2</PRE> <P>and under each Parent, create a Child 1 Endpoint Identity Group, so that the result looks like this:</P> <PRE>Parent 1 &nbsp; Child 1 Parent 2 Child 1</PRE> <P>then you can create RADIUS Policy Set rules that refer to each Parent:Child relationship (where the semicolon is the delimiter) as</P> <P>"Parent 1:Child 1"</P> <P>or</P> <P>"Parent 2:Child 1"</P> <P>However, in Context Visibility, you cannot tell who the parent is when an endpoint is assigned as "Child 1" of either parent - that level of granularity is not available. In Context Visibility, you can statically set an EIG, but in the drop-down list, the options appear as&nbsp;</P> <PRE>Child 1 Child 1</PRE> <P>No context about the parent.&nbsp;</P> <P>In the Context Visibility Browser, you don't see the Parent details either, and even worse, in the CSV import, there is no way to be specific about the exact Parent:Child relationship- you can only specify an EIG name - who knows where the endpoint will be assigned to...</P> <P>So is it a bug, or just lacking feature support in ISE ?&nbsp; Why allow hierarchical nesting of groups, when the implications of using such a feature makes it very hard (or pointless) in practice?</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 02 Jun 2025 04:44:59 GMT https://community.cisco.com/t5/network-access-control/nested-endpoint-identity-groups-what-for/m-p/5295676#M596600 Arne Bier 2025-06-02T04:44:59Z https://community.cisco.com/t5/network-access-control/nested-endpoint-identity-groups-what-for/m-p/5295683#M596601 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a>&nbsp;,</P> <P class="lia-align-justify">&nbsp;I totally agree !!!</P> <P class="lia-align-justify">&nbsp;For me is&nbsp;<SPAN>&nbsp;"just lacking feature support in ISE" ... as a workaround, what I do is something like this:</SPAN></P> <PRE>Parent 1 &nbsp; P1-Child 1 Parent 2 P2-Child 1</PRE> <P class="lia-align-justify">&nbsp;</P> <P class="lia-align-justify">Best regards</P> <P class="lia-align-justify">&nbsp;</P> Mon, 02 Jun 2025 05:26:49 GMT https://community.cisco.com/t5/network-access-control/nested-endpoint-identity-groups-what-for/m-p/5295683#M596601 Marcelo Morais 2025-06-02T05:26:49Z https://community.cisco.com/t5/network-access-control/nested-endpoint-identity-groups-what-for/m-p/5295684#M596602 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/17232">@Marcelo Morais</a>&nbsp;that's a great workaround - your naming conventions allows me to create the hierarchy in "Administration / Identity Management / Endpoint Identity Groups" screen to collapse the Groups under their parents. I like that! Thanks</P> Mon, 02 Jun 2025 05:36:58 GMT https://community.cisco.com/t5/network-access-control/nested-endpoint-identity-groups-what-for/m-p/5295684#M596602 Arne Bier 2025-06-02T05:36:58Z