Solved: Cisco ISE 2.3 policy not adding objects to correct group

gregmoyse3 · ‎07-15-2019

Hi,

I am using a BYOD-type policy where our employees login to their personal devices using their AD credentials linked to a CWA page.

I am having problems where, when a new device is logged in, it is not being added to the correct Endpoint Identity Group and is denied network access.

If I manually add the MAC address of the endpoint to the group, it works.

Oddly, the devices that are authenticated end up in an odd group which I cannot find, called S1-9{long number}

Any ideas?

Cheers

Jason Kunst · ‎07-15-2019

Make sure you're on latest patch as there are bugs around identity groups and licensing if this doesn't work work through TAC as there are defects out there like this

View solution in original post

Jason Kunst · ‎07-18-2019

Please work through the TAC

View solution in original post

Jason Kunst · ‎07-15-2019

Make sure you're on latest patch as there are bugs around identity groups and licensing if this doesn't work work through TAC as there are defects out there like this

gregmoyse3 · ‎07-16-2019

Thanks - I will update from patch 4 to patch 6 and let you know how I get on.

Greg

Jason Kunst · ‎07-16-2019

Good start. Also consider moving to 2.4 as our latest long term recommended release

gregmoyse3 · ‎07-18-2019

Hi, I've updated to patch 6 but still no joy. I will look into upgrading to version 2.4.
Odd how it was working, then stopped. The Guest Portal is configured to use the correct guest type and Endpoint Identity group, but still sends devices to a random 'group' -
S-1-5-21-2038665849-2013265171-455191445-20904####S-1-5-21-2038665849-2013265171-455191445-513

I also noticed that after patching to patch 6, I lost the ability to log into ISE using my domain details and can only log in as local admin.

Jason Kunst · ‎07-18-2019

Please work through the TAC