Solved: Re: ISE Endpoint Idenity Groups

stephendrkw · ‎12-21-2018

Hi, I run ISE 1.3 for Wireless, I will be creating a new SSID on my WLC's for a specific amount of users who will be authorised by MAC authentication using ISE.

Basically I will have a list of about 50 mac addresses that will be held on the ISE. Users will be directed from Anchor WLC's to ISE presented a page which will be the policy signon just a tick (not login/password)

From what I've read I need to create a Endpoint Identity Group, every time I create one I see a Server Success pop-up but no Endpoint Identity Group listed, there is no parent group to choose from? Where do I create the parent group?

This will be basically what I plan to configure:

Create an endpoint identity group
Add MAC addresses for each authorised mobile device to it's respective identity group.
Configure authentication rule to use the Internal Endpoints identity sequence.
Create authorization rules that permit access based on endpoint identity group and SSID.

Timothy Abbott · ‎12-21-2018

Unfortunately, no. You won’t be able to see if from the CLI. Given how old the code is, it could be that your newer browser isn’t compatible with the older UI. Every release, we certify browsers and outline them in the compatibility guide.

Regards,
-Tim

View solution in original post

Timothy Abbott · ‎12-21-2018

You are correct that an endpoint identity group is required to do what you are trying to accomplish. Why you aren't seeing the endpoint identity group after creation could be browser related. You could reset your browser or try a different browser. It is also possible that you are hitting a bug but because 1.3 is end of life, there are no support options. I encourage you to consider upgrading to a newer version of ISE that with which you would be able to get support from the TAC.

Regards,

-Tim

stephendrkw · ‎12-21-2018

I have tried IE and I have the same problem, maybe this is a bug in 1.3

I plan to upgrade next year to a newer supported version.

Is it possible to see this group creation from the command line, thought I'd ask but I guess not.

Timothy Abbott · ‎12-21-2018

Unfortunately, no. You won’t be able to see if from the CLI. Given how old the code is, it could be that your newer browser isn’t compatible with the older UI. Every release, we certify browsers and outline them in the compatibility guide.

Regards,
-Tim

hslai · ‎12-21-2018

Cisco Identity Services Engine Software Version 1.3 Bulletin is missing the last date of support, which usually is 2 years after the end of software maintenance and would be Dec 31, 2019. Thus, you could try opening a Cisco TAC case and investigate this issue.

Although there is no CLI option, you may try External RESTful APIs for Endpoint Identity Groups

stephendrkw · ‎01-02-2019

Thanks Tim. I plan to upgrade to 2.1.0 a direct upgrade is possible from 1.3 to 2.1.0

Not sure if this is a recommended version but at least a start and the quickest/easiest upgrade option. I did notice that during this VMware upgrade in my case RedHat verions are changed from 5.x to 7.x luckily we are running hardware ESXi6 x which is compatible with RH 7.x. Looks like you need to power down the VM instance and change OS version to 7.x after the upgrade. Lets see!

I'll post once upgraded and see if I see all the Groups I apparently created are there or not and the upgrade has indeed fixed my problem.

Jason Kunst · ‎01-02-2019

Recommended to move to 2.2 with latest patch

paul · ‎01-02-2019

If you are comfortable with your ISE config I would build a brand new parallel deployment running 2.4 patch 5 and rebuild your entire deployment using current best practices. That is how we typically handle upgrades for customers running that old of a version of ISE.