Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1652
Views
15
Helpful
4
Replies

Cisco ISE 2.4 Endpoint removed from MAB Group

Go to solution
Arjun176
Level 1
Level 1

‎11-04-2019 08:54 AM

hi,

 

We are using 2.4 patch 9 ISE version, We have created various MAB group to allow the non dot1x supported devices. and also we have migrated the sites to closed mode. 

 

Currently we observe few endpoints which are added to the MAB group are getting removed to the MAB group automatically and device authentication has failed which has caused the downtime in the network. 

 

Could you please advice is there any specific reason for the endpoints to get removed automatically from the Cisco ISE MAB group.

 

regards

Arjun.S

4 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to JohnNewman7082

‎11-04-2019 09:22 AM

Those two bugs are fixed in the version and patch that he is running. The likely culprit would be either endpoint purge policies or this bug fixed in patch 10.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq58785

First confirm that the endpoints aren't being purged since that takes a couple minutes to check. Then if you like you could open a TAC case to confirm you are hitting this bug ID. If you don't want to do that, you could move to patch 10 to rule out this issue. If the problem persists after patch 10, then it may be a more complicated issue not yet documented/fixed.

View solution in original post

4 Replies 4

Go to solution
JohnNewman7082
Level 1
Level 1

‎11-04-2019 09:12 AM

Hi Arjun,

  You should open a TAC case to determine the actual cause.

If you do not have the "static group assignment" checked, its possible profiling is changing the endpoint.  When you change it back, the device more than likely will not re-profile to change the group again.

 

If you do have "Static group assignment" checked, you could be facing a bug like CSCvi73782 or CSCvk55076  

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to JohnNewman7082

‎11-04-2019 09:22 AM

Those two bugs are fixed in the version and patch that he is running. The likely culprit would be either endpoint purge policies or this bug fixed in patch 10.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq58785

First confirm that the endpoints aren't being purged since that takes a couple minutes to check. Then if you like you could open a TAC case to confirm you are hitting this bug ID. If you don't want to do that, you could move to patch 10 to rule out this issue. If the problem persists after patch 10, then it may be a more complicated issue not yet documented/fixed.

Go to solution
Arjun176
Level 1
Level 1
In response to Damien Miller

‎11-04-2019 10:46 PM

Hi,

 

Please correct me if my understanding is wrong.

 

1: When we manually add a device to the MAB group "Static Assignment Group" will be checked automatically.

 

2: Endpoint Purge is for the device which not profiled by ISE, if a endpoint is added to a MAB group it will not be Purged.

 

regards

Arjun.S

0 Helpful

Go to solution
JohnNewman7082
Level 1
Level 1
In response to Arjun176

‎11-05-2019 06:24 AM

1. Statically assign an endpoint if you do not want it to automatically change from the group.

 

2. Endpoint purge can be for any endpoint group. By default, it removes endpoints that are 30 days old from GuestEndpoints or RegisteredDevices.

You can check your rules under Administration > Identity Management > Settings > Endpoint Purge

 

If the group you are using does not match anything there, you should upgrade your patch level to the nest patch for 2.4. If it reproduces, please contact TAC.

0 Helpful
Customers Also Viewed These Support Documents