With that being said I can't use it as a profiler condition?

With that being said I can't use it as a profiler condition?

 

---

Your picture shows AD-Join-Point used as a condition for a profiler check. It would be a bug if that is not working to make a match. As said previously, the other attribute, despite with the same value most of the time, is not available for such.

Checking EndPointSource Active Directory Probe, other attributes is AD-Host-Join-Point but on profiler condition is AD-Join-Point. The AD-Join-Point is not showing on Endpoint other attributes. 

If AD-Host-Join-Point used by ISE Radius probe, how can I make ISE to perform EndPointSource Radius Probe instead of Active Directory Probe? Turning off AD probe will that make it Radius probe to take place?

No, it won't work like that. It's likely you are hitting some other bug, such as CSCve03360

Our ISE 2.3 installed patch 2,3 I was planning on installing patch 4 and patch 5. Will that address the bug problem?

When you patch ISE, you don't need to install every patch released. The most recent patch incorporates all the previous patch fixes.
ex. You can apply just patch 5 on your ISE deployment and it will include all patch 1-4 items too.

Just commentary on patching. I don't know if your issue is fixed in patch X.  When I am unsure if an issue is fixed in patch X, I work with TAC, I would suggest you do the same here.  It can be very difficult to troubleshoot/identify fridge issues via forum posts.  

I concurred with Damien's comment.

CSCve03360 is due to ISE 2.2+ using AD probe to fetch both computer info and user info and two types of fetches using the same AD-Last-Fetch-Time such that computer info fetch not occurring if user info fetched within the last 24 hour or the configured interval. The bug is addressed in ISE 2.4 FCS. CSCvm72309 observed in ISE 2.4 Patch 1+.

Your deployment might need both bug fixes and TAC may help analyzing that.

I turned on debug on ISE for profiler and I found out that the initial authentication method is MAB, then Radius Probe and then last Active Directory Probe. 

I shutdown the interface first, deleted the endpoint on the ISE, rebooted the pc and do no shutdown on interface. For the first time when ISE sees the MAC address it will be unknown but the first sequence is MAB, then Radius Probe and then Active Directory probe. 

ISE of course after I deleted the endpoint it has no longer the mac address in its database. How can I configure the ISE to perform Radius Probe or AD Probe only?

Radius Probe

Attribute:AAA-Server value:<omitted>
Attribute:AD-Error-Details value:Domain trust is one-way
Attribute:AD-Groups-Names value:<omitted>/Builtin/Domain Computers
Attribute:AD-Host-Candidate-Identities value:<omitted>
Attribute:AD-Host-DNS-Domain value:<omitted>
Attribute:AD-Host-Join-Point value:EXAMPLE.ORG
Attribute:AD-Host-NetBios-Name value:EXAMPLE
Attribute:AD-Host-Resolved-DNs value:<omitted>
Attribute:AD-Host-Resolved-Identities <omitted>
Attribute:AD-Last-Fetch-Time value:1540480415942
Attribute:AKI value:<omitted>
Attribute:AuthenticationIdentityStore value:EXAMPLE
Attribute:AuthenticationMethod value:x509_PKI
Attribute:AuthenticationStatus value:AuthenticationPassed
Attribute:AuthorizationPolicyMatchedRule value:AD OU Computers Root CA
Attribute:BYODRegistration value:Unknown
Attribute:CacheUpdateTime value:1540480415962
Attribute:Called-Station-ID value:<omitted>
Attribute:Calling-Station-ID value:<omitted>
Attribute:CreateTime value:1540480406501
Attribute:DTLSSupport value:Unknown
Attribute:Days to Expiry value:3393
Attribute:DestinationIPAddress value:<omitted>
Attribute:DestinationPort value:1812
Attribute:Device IP Address value:<omitted>
Attribute:Device Identifier value:
Attribute:Device Port value:1645
Attribute:Device Type value:<omitted>
Attribute:DeviceRegistrationStatus value:NotRegistered
Attribute:EndPointMACAddress value:<omitted>
Attribute:EndPointPolicy value:Dell-Inc-Device
Attribute:EndPointPolicyID value:<omitted>
Attribute:EndPointProfilerServer value:<omitted>
Attribute:EndPointSource value:RADIUS Probe

On the Profiling Condition , selecting Radius as Type, searching for AD-Host-Join-Point name is not available. I can't build these attributes and use it for matching endpoint that are part of Active Directory. 

Here is the AD Probe

MAC: <omitted>
Attribute:AD-Last-Fetch-Time value:1540480480951
Attribute:BYODRegistration value:Unknown
Attribute:DeviceRegistrationStatus value:NotRegistered
Attribute:EndPointProfilerServer value:<omitted>
Attribute:EndPointSource value:Active Directory Probe
Attribute:MACAddress value:<omitted>
Attribute:NmapSubnetScanID value:0
Attribute:OUI value:Dell Inc.
Attribute:PolicyVersion value:0
Attribute:PortalUser value:
Attribute:PostureApplicable value:Yes
Attribute:User-Fetch-CountryName value:
Attribute:User-Fetch-Department value:
Attribute:User-Fetch-Email value:
Attribute:User-Fetch-First-Name value:
Attribute:User-Fetch-Job-Title value:
Attribute:User-Fetch-Last-Name value:
Attribute:User-Fetch-LocalityName value:
Attribute:User-Fetch-Organizational-Unit value:
Attribute:User-Fetch-StateOrProvinceName value:
Attribute:User-Fetch-StreetAddress value:
Attribute:User-Fetch-Telephone value:
Attribute:User-Fetch-User-Name value:<omitted>
Attribute:SkipProfiling value:false

The attribute for AD-Join-Point is not even showing. 

Please check if this post could help you

https://community.cisco.com/t5/policy-and-access/ise-2-3-and-active-directory-probe/td-p/3351475