Hello,

We have recently performed ISE upgrade from 2.3 to 2.4 and than after almost 10 days we performed the patch upgrade for ISE 2.4 to Patch 10. Our policy for authenticating phones is Dot1x with Certificate based authentication using Locally Signed Certificates, these are Cisco Phones. For Authorization, we had multiple AND condition that checks for "Wired802.1x" and for phones "ID group name", as the phones once they are profiled correctly they will be added to the respective Identity Group. This Policy was working absolutely without any issues for almost 3 years up until we performed "Patch 10" Upgrade, even before the upgrade when there was no Patch installed on ISE 2.4 for the duration of 10 days, no issues were reported. Image attached named "Identity Group Name" was the attribute that was seen in Radius Live logs prior to patch upgrade and hence was hitting the Authorization Condition, after the patch upgrade, after realizing that this attribute is no more learned, we had to delete the additional condition from the Authorization Rule, which obviously fixed the issue for us. Even though as far as I see, there is no security compromise or any acceptable risk involved after deleting this condition as we have only one set of phones in the deployment. Still to my curiosity, should I be considering this as a Bug or is there something I may have missed that should have been taken care of, in ISE 2.4 Patch 10.