cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

225
Views
0
Helpful
1
Replies
Beginner

ISE 2.4 Patch 10 Upgrade - Not Learning "Identity Group Name" Attribute in Radius Live logs

Hello,

We have recently performed ISE upgrade from 2.3 to 2.4 and than after almost 10 days we performed the patch upgrade for ISE 2.4 to Patch 10. Our policy for authenticating phones is Dot1x with Certificate based authentication using Locally Signed Certificates, these are Cisco Phones. For Authorization, we had multiple AND condition that checks for "Wired802.1x" and for phones "ID group name", as the phones once they are profiled correctly they will be added to the respective Identity Group. This Policy was working absolutely without any issues for almost 3 years up until we performed "Patch 10" Upgrade, even before the upgrade when there was no Patch installed on ISE 2.4 for the duration of 10 days, no issues were reported. Image attached named "Identity Group Name" was the attribute that was seen in Radius Live logs prior to patch upgrade and hence was hitting the Authorization Condition, after the patch upgrade, after realizing that this attribute is no more learned, we had to delete the additional condition from the Authorization Rule, which obviously fixed the issue for us. Even though as far as I see, there is no security compromise or any acceptable risk involved after deleting this condition as we have only one set of phones in the deployment. Still to my curiosity, should I be considering this as a Bug or is there something I may have missed that should have been taken care of, in ISE 2.4 Patch 10.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE 2.4 Patch 10 Upgrade - Not Learning "Identity Group Name" Attribute in Radius Live logs

Please open tac case to investigate

View solution in original post

1 REPLY 1
Cisco Employee

Re: ISE 2.4 Patch 10 Upgrade - Not Learning "Identity Group Name" Attribute in Radius Live logs

Please open tac case to investigate

View solution in original post