Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
242
Views
2
Helpful
4
Replies

Cisco ISE - hitting wrong NetworkDevice Group

Netmart
Level 3
Level 3

‎07-21-2025 03:51 PM

Hello,

For some reason, an authentication request for node 172.23.140.200 is hitting the wrong Network Devices Group, though there is a long prefix/32 available. Consequently, the wrong Policy-Set is chosen with Privilege Level1.

Usually ISE is expected to hit the longest prefix

#1 Arista_mgmt: 172.23.140.200/32

#6: Private-172-Network1:  172.23.128.0/20

Netmart_0-1753135433086.png

 

Jun 19 17:27:22 ISE-1 CISE_Passed_Authentications 0485078549 4 0 2025-06-19 17:27:22.220 -04:00 59105442473 5201

NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=71, Device IP Address=172.23.140.200,

DestinationIPAddress=******, DestinationPort=49, UserName=cvpadmin, Protocol=Tacacs, NetworkDeviceName=Private-172-Network1,

Type=Authentication, Action=Login, Privilege-Level=1,

 

Version:
3.1.0.518
Patch Information: 3

Any advice is much appreciated.

 

 

 

Labels:
4 Replies 4

ahollifield
VIP
VIP

‎07-22-2025 12:32 PM

3.1 patch 3 is very old at this point. I would not spend any time troubleshooting this issue until you upgrade to the latest 3.1 patch.

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/identity-service-engine-software-3-1-3-2.html

0 Helpful

MHM Cisco World
VIP
VIP

‎07-22-2025 01:01 PM

Did you try change device profile under network device list ?

MHM

0 Helpful

Netmart
Level 3
Level 3
In response to MHM Cisco World

‎07-23-2025 09:10 AM

Thank you MHM.

 

Under Work Centers > Network Access > Network Devices: the IP is listed under Network Devices List.

I would appreciate, if you could please guide me where the device profile is linked to the network device list.

Please keep in mind that other IPs in the same Network Device List are hitting the proper policy [based on the logs].

 

MHM Cisco World
VIP
VIP
In response to Netmart

‎07-23-2025 09:40 AM

I check cisco doc and other notes 

Device profile not send as radius attribute so ISE can  not use it to identify device.

Retrun to IP conflict' 

ISE support range of IP so you can use range of IP to exclude single device IP from device group

I.e. 10.0.0.100/32 single 

10.0.0.0/24 device group 

In ISE add IP for device group as

10.0.0.1-10.0.0.99 

10.0.0.101-10.0.0.254

Hope this help you to solve problem 

MHM

0 Helpful
Customers Also Viewed These Support Documents