Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
1
Helpful
2
Replies

Guest Endpoint not switching Identity Group Assignment CWA

Go to solution
ajc
Level 7
Level 7

‎03-11-2023 08:01 AM - edited ‎03-11-2023 12:55 PM

Running ISE 2.7 patch 7. Question: I have a device that was previously connected to a 802.1x SSID and directly assigned to the endpoint group = unknown, later I manually assigned it to an endpoint group = testing. So my question is: If I have device automatic registration in the guest portal I am using for CWA which points to the Guest Endpoint Group, should my device switch from "testing" to the "guest" endpoint group or not?. So far my tests show it is not working. profiling is not enabled (it should but I do not make that call, someone preferred the "cheap" way so I am wondering if this feature not enabled is the reason that it does not work). 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee

‎03-11-2023 12:33 PM

hello @ajc , yes it's expected that the assignment remain statically where you configured the endpoint.

So far there are 2 types of endpoint assignment on ISE the default that you have is dynamic , unless you assign an endpoint to a matching group and  provided you don't have profiling within your ISE the devices will be classified as unknown, now while assigning endpoints to a group what you do is to change an attribute on the endpoint that turn off this dynamic clarification , hence the endpoint group cannot be assigned anymore dynamically to GuestEndpoint group for any other process on ISE , please review for your reference  https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_assetvisibility_endpoints.html 

RodrigoDiaz_0-1678566764746.png

 

View solution in original post

2 Replies 2

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee

‎03-11-2023 12:33 PM

hello @ajc , yes it's expected that the assignment remain statically where you configured the endpoint.

So far there are 2 types of endpoint assignment on ISE the default that you have is dynamic , unless you assign an endpoint to a matching group and  provided you don't have profiling within your ISE the devices will be classified as unknown, now while assigning endpoints to a group what you do is to change an attribute on the endpoint that turn off this dynamic clarification , hence the endpoint group cannot be assigned anymore dynamically to GuestEndpoint group for any other process on ISE , please review for your reference  https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_assetvisibility_endpoints.html 

RodrigoDiaz_0-1678566764746.png

 

Go to solution
ajc
Level 7
Level 7
In response to Rodrigo Diaz

‎03-11-2023 01:01 PM - edited ‎03-12-2023 06:47 PM

I will open a TAC case for my 2nd question. thanks

 

0 Helpful
Customers Also Viewed These Support Documents