Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1958
Views
0
Helpful
8
Replies

ISE 2.4 - Endpoint registration status changed to "Unknown" after re-profiling

Go to solution
Mark Hamilton
Level 1
Level 1

‎06-24-2019 07:21 PM

We are experiencing an issue which affects some endpoints after they have been re-profiled. From time to time we see endpoints that have been profiled as a specific type of device (i.e. Windows10-Workstation), get re-profiled as a generic device such as "Microsoft-Workstation" or sometimes "Unknown". This is an issue in itself but it is not the issue I want to discuss in this thread.

 

After an endpoint gets re-profiled like above, the attributes BYOD Registration and DeviceRegistrationStatus are subsequently changed to "Unknown" as seen below:

byodregistration.pngdeviceregistration.png

 

As part of our authentication policies we specifically check the BYOD registration status of an endpoint. This means that an endpoint that is affected by this issue, is no longer able to authenticate on the network and the ONLY way we can resolve it is to delete the endpoint from ISE and re-onboard it.

 

Cisco TAC claim that this is to be expected when an endpoint is re-profiled but I am finding it hard to understand why the REGISTRATION attributes on an endpoint are modified during the re-profiling process.

 

They also claim that if the endpoint successfully authenticates after this issue has occurred, then it should be re-profiled correctly (e.g. from a Microsoft-Workstation to a Windows10-Workstation) and the registration attributes should be updated. We have not seen this behaviour and we have had to delete the endpoint and re-onboard it every time.

 

Does anybody else run a BYOD environment and have experienced issues similar to this?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Hamilton
Level 1
Level 1
In response to Francesco Molino

‎06-24-2019 09:22 PM

Hi Francesco,

I've just checked an endpoint which recently hit this issue and it appears that the MAC address is not present in the "RegisteredDevices" group.

There is an exception to the issue I described in the original post. On some endpoints only the BYOD registration attribute is changed to "Unknown" and the DeviceRegistrationStatus attribute remains as "Registered".

In either circumstance I can't imagine why ISE would modify either attribute or remove the MAC address from the registered devices group.

The issue is very similar to a bug we were hitting on ISE 2.3 which is documented under bug ID CSCvm12069. This bug was resolved in a patch release.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-24-2019 09:02 PM

Hi

I deployed several byod infrastructure and this is the first time i hear about such issue.

When it gets re-profiled, does the device mac address is still in the group RegisteredDevices (or whatever group you use in your BYOD onboarding)?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Mark Hamilton
Level 1
Level 1
In response to Francesco Molino

‎06-24-2019 09:22 PM

Hi Francesco,

I've just checked an endpoint which recently hit this issue and it appears that the MAC address is not present in the "RegisteredDevices" group.

There is an exception to the issue I described in the original post. On some endpoints only the BYOD registration attribute is changed to "Unknown" and the DeviceRegistrationStatus attribute remains as "Registered".

In either circumstance I can't imagine why ISE would modify either attribute or remove the MAC address from the registered devices group.

The issue is very similar to a bug we were hitting on ISE 2.3 which is documented under bug ID CSCvm12069. This bug was resolved in a patch release.
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Mark Hamilton

‎06-26-2019 06:55 PM

Ok that's weird you get devices removed from the registered group. I never faced that issue neither in 2.3 or 2.4

Maybe you will need to call the TAC. Can you reproduce the issue or is it random?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Mark Hamilton
Level 1
Level 1
In response to Francesco Molino

‎06-26-2019 09:43 PM - edited ‎06-27-2019 03:20 PM

Yes it is very unusual Francesco and unfortunately we cannot reproduce the issue on demand. The issue is affecting a small number of endpoints at random.

 

Unfortunately I have already been dealing with TAC on this issue and they have advised me that this is expected behaviour. I have requested that the case be escalated and investigated further.

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Mark Hamilton

‎06-27-2019 06:19 AM

It sounds like you are using the Cisco default out of the box profiling policies? I recommend using your own profiling policies with a higher MCF in an attempt to avoid your issue. I have seen a similar issue when attempting to profile based on a pxe boot dhcp attribute where the attribute are there and then gone. Have you considered potentially changing your authz condition to push policy? Maybe that is the better option. Good luck.
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Mark Hamilton

‎06-27-2019 11:35 AM

yes please escalate the issue, i have also copied our BYOD and Profiling TMEs on this @howon @kthiruve 

0 Helpful

Go to solution
Mark Hamilton
Level 1
Level 1
In response to Jason Kunst

‎06-27-2019 03:25 PM

@mike - Yes I believe we are using the default Cisco profiling policies. I'll discuss your suggestions with my colleagues.

@jason - Thank you.
0 Helpful

Go to solution
Antonio Macia
Level 3
Level 3
In response to Mark Hamilton

‎11-08-2019 05:34 AM - edited ‎11-08-2019 05:39 AM

Hi Mark,

 

We are facing the exact same issue. Devices being re-profiled change their BYOD Registered flag to unknown causing the endpoint being rejected because the authorization policy expects this flag in one of the conditions.

 

The MAC address also disappears from the RegisteredDevices group, so replacing the above condition for another looking into this group wouldn't make any sense either.

 

Did you get feedback from Cisco about this? 

 

Thanks.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents