Solved: Re: Cisco ISE - Different Identity Group for self registered Guests

Marc Aemmer · ‎10-17-2018

Hi

I have a Guest Portal configured with Self Registration which assigns Devices to Guest Type "Visitors".

The Authorization Policy allows access when Guest_Flow and Identity Group = Visitors.

Now I recognized under Work Centers -> Guest Access -> Identities, that some endpoints have different Identity Groups than "Visitors". Some are assigned to "Profiled" and others to "Android" etc. Is this because of the profiler? Does this affect the Authorization Policy? Should this behaviour be turned off? If yes, where?

Thanks,

Marc

Surendra · ‎12-05-2018

Get it checked with TAC. Essentially when the guest endpoint group assignment after the guest authentication is a static assignment. There are a few known issues with static group assignment being lost depending on your version.

View solution in original post

anthonylofreso · ‎10-17-2018

Probably should not be turned off, and in fact, I'm not even sure you can turn it off.

This will only affect your auth z policy if your policy is written as such. Meaning, are one of your policy's conditions 'profiled' or 'android'? If not, then it will not match.

Also, yes, this is happening because it's matching rules under: Work Centers > Profiler > Policy Elements > Profiler Conditions

Which match to: Work Centers > Profiler > Profiling Policies

Marc Aemmer · ‎10-17-2018

I don't get that. I have created different AuthZ Policies with different AuthZ Profiles based on Endpoint Identity Groups.

So if the profiler is overwriting the Endpoint Identity Groups I configured in each Guest Type this all makes no sense.

anthonylofreso · ‎10-17-2018

If you're putting an endpoint in a specific identity group, the profiler policies will not overwrite that. Or at least, they shouldn't be...?

Marc Aemmer · ‎10-17-2018

Exactly what I think too. But in my case, it's somehow assigning different identity groups than I configured in my guest types...

Jason Kunst · ‎10-17-2018

You should see the endpoints under the guest identity groups regardless

Credentialed guest portal will assign the guest endpoint to the endpoint group specific under the guest type

Marc Aemmer · ‎12-05-2018

Unfortunately we were not able to solve the problem yet. It looks like ISE is arbitrarily changing the identity groups of guest endpoints. This leads to a CoA and the user will not be able to connect anymore, because the AuthZ rules are based on endpoint groups.

Surendra · ‎12-05-2018

Get it checked with TAC. Essentially when the guest endpoint group assignment after the guest authentication is a static assignment. There are a few known issues with static group assignment being lost depending on your version.

ipagliani · ‎07-09-2019

Ciao,

do you have any information regarding bug ID or resolution ?

Thanks

Marc Aemmer · ‎07-10-2019

There is still no resolution. I have opened a TAC case months ago and we are still looking for the root cause.

There could be a chance that the purge rule for the affected identity group is causing the problem. WIth the purge rule deactivated, I have way less guest flow endpoints which are loosing static group assignment.

Jason Kunst · ‎07-10-2019

You’ll need to escalate to duty manager and work through TAC. We don’t do break fix in the community

rsoares01 · ‎07-15-2020

Hi, i am having the exactly same issue, how did you solve it?

I am having issue with the remember me configuration because the identity group id of the devices that is tagged with Profiled instead GuestEndpoint.