Re: Cisco ISE 2.1 endpoints loose static group and description

kerstin-534 · ‎08-07-2018

Endpoints authenticated with MAB sporadically (after some days or weeks) loose their Static Group Assignment and the Description.

In the window Work Center -> Identities -> Endpoints the Static Group Assignment and the Description the endpoints are shown correctly. When editing the endpoint there is no Static Group Assignment and no Description anymore, so specific MAB authorization policies do not work.

The static group that is assigned manually is configured is directly under "Endpoint Identity groups".

What could be the issue ? Could this be a specific ISE feature ?

paul · ‎08-07-2018

Double check your purge policies (Administration->Identity Management->Settings->Purge) and see if you have a purge policy setup that you may have forgot about. You can also check the purge reports for specific MAC addresses to see if they are being removed from the system. Finally if you pull up the MAC addresses on the Context Visibility you can look for the Elapsed Days field to see how long the MAC address has been in the system.

kerstin-534 · ‎08-08-2018

The purge reports for the last 30 days are empty and the ElapsedDays for the specific enpoint is 386. This means that the endpoint is not purged ?

paul · ‎08-08-2018

Yep if the elapsed days is that long then it hasn't been purged. When it changes from a static group assignment where is it getting put? I mean what profile group and endpoint identity group is it getting moved to.

kerstin-534 · ‎08-08-2018

If i check in

Work Centers -> Network Access -> Identity Groups ->

Group-for-WLAN on the content (right) pane with the list I can see

MAC Adresse / EndPoint Profile / Static Group Assignment
90:xx:xx:xx:xx:xx / Unknown / false

The other members are static assigned, some of them have an endpoint profile other then unknown.

Rnardi · ‎11-23-2018

Hi Kerstin-534,

I have the same issue, do you found any solution?

Thanks,

Ricardo Nardi.

kerstin-534 · ‎11-23-2018

Hi,

there is a defect CSCvg7326 in ISE, the workaround described in bug notes did not work. So we have no solution yet. The next step is to new install ISE on 2.4 latest patch.

br Kerstin

mrboogie081 · ‎11-26-2018

Kerstin, would you double-check that bug ID? When I search that I do not get any bugs related to ISE.

kerstin-534 · ‎11-27-2018

the ID is CSCvg73626, maybe Cisco internal

Nidhi · ‎11-27-2018

Yes there is a bug for it . Please work with TAC to check the workaround and any patch recommendation

Nidhi · ‎11-27-2018

Yes there is a bug for it . Please work with TAC to check the workaround and any patch recommendation

kerstin-534 · ‎11-27-2018

there is no patch for Version 2.1 ?