Solved: Re: Created EndPoint Custom Attribute not visible in ISE GUI

omuller · ‎10-25-2023

I have created 2 EndPoint Custom Attributes by going to Administration -> Identity Management -> Settings -> EndPoint Custom Attributes in the ISE GUI:

But when I try to create an EndPoint and edit it to set these Custom Attributes, they are not visible:

Pressing the link in "No data found. Add custom attributes here" redirects to the page to add Custom Attributes, but here they are still visible. Also, when I try to create an EndPoint using the ERS API with these Custom Attributes, I don't get an error message, but the resulting EndPoint doesn't have the Custom Attribute.

JSON for creating the EndPoint:

{
   "ERSEndPoint":{
      "name":"00:00:00:00:00:01",
      "mac":"00:00:00:00:00:01",
      "groupId":"730c4a70-6da9-11ee-81db-ee5dd0a9085b",
      "staticGroupAssignment":true,
      "staticProfileAssignment":false,
      "customAttributes":{
         "customAttributes":{
            "CMDBStatus":"Test",
            "CMDBConfigurationItem":"Test"
         }
      }
   }
}

Response when fetching the just created EndPoint:

{
   "ERSEndPoint":{
      "id":"6bbc7c50-731b-11ee-81db-ee5dd0a9085b",
      "name":"00:00:00:00:00:01",
      "mac":"00:00:00:00:00:01",
      "profileId":"",
      "staticProfileAssignment":false,
      "groupId":"730c4a70-6da9-11ee-81db-ee5dd0a9085b",
      "staticGroupAssignment":true,
      "portalUser":"",
      "identityStore":"",
      "identityStoreId":"",
      "link":{
         "rel":"self",
         "href":"https://[DNS]:9060/ers/config/endpoint/name/00:00:00:00:00:01",
         "type":"application/json"
      }
   }
}

I am running ISE version 2.4.0.357 with patches 4,5,6,8,11,13. Any help would be appreciated!

omuller · ‎10-30-2023

The issue in the end turned out to be a license issue. Doing Profiling requires a "Plus" license and we only have the "Base" license. So it was possible to declare Endpoint Custom Attributes, but not actually assign them values for a specific Endpoint through the GUI or ERS API. Kind of weird in my opinion that ISE allows you to declare the attributes, but not assign values to them, when it knows you don't have the right license, but maybe this was addressed in a version that isn't so out-of-date as version 2.4. Thanks everybody for the suggestions

View solution in original post

Rodrigo Diaz · ‎10-25-2023

Hi @omuller , I run the same test with the custom attribute on ISE 3.3 and in my case the attribute appeared check below:

I would suggest going towards one of the newest versions of ISE and test out your behavior again, as it could be a defect in that version.

Let me know if that helped.

Charlie Moreton · ‎10-25-2023

ISE 2.4 has been End of Support for nearly a year (https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-743964.html).

That and the fact that you are adding CMDB attributes, I would suggest an upgrade to version 3.2

omuller · ‎10-25-2023

@Charlie Moreton @Rodrigo Diaz Thank you both for the suggestions. I agree with you both, an upgrade to a higher version of Cisco ISE is probably the right solution. However, I'm forced to work with this version and upgrading to a higher version is not in my control, so I will have to try and get this to work using version 2.4 (for now).

Charlie Moreton · ‎10-25-2023

This was supposed to be fixed in Patch 8 for 2.4 CSCvo28092 - ISE Custom Endpoint Attributes - Will not save or delete , but it seems you are still experiencing it

omuller · ‎10-30-2023

The issue in the end turned out to be a license issue. Doing Profiling requires a "Plus" license and we only have the "Base" license. So it was possible to declare Endpoint Custom Attributes, but not actually assign them values for a specific Endpoint through the GUI or ERS API. Kind of weird in my opinion that ISE allows you to declare the attributes, but not assign values to them, when it knows you don't have the right license, but maybe this was addressed in a version that isn't so out-of-date as version 2.4. Thanks everybody for the suggestions