10-02-2021 03:47 AM
Hello
not sure if it was documented anywhere. recently i met "feature" within ISE 2.1 latest patch where if u configure compound condition OR'ing endpoints:logicalprofile with identitygroup:name then during AuthZ of endpoint with logical profile of Unknown condition will never match even if endpoint's static identity-group 200% matches.
keep n eye
10-17-2021 01:43 PM
sounds like a bug to me - I haven't had the need to match on Unknown Endpoint Identity Group. BTW, in ISE 3.1 I was unable to find an Logical Profile of "Unknown". I believe that in the Policy Set logic, 'Unknown' only works with the Endpoint Identity Group. Despite the fact that the Report shows the endpoint as being matched to "Unknown Policy Profile".
At least in ISE 3.1 I was able to get a match when I used "Unknown Endpoint" in an Authorization rule.
Identity Group Name EQUALS Endpoint Identity Group: Unknown
ISE 2.1? Upgrade?
10-17-2021 10:21 PM
Hi Arne
to meet issue u dont need trying to match endpoint-profile to Unknow. u just try to match membership in Identity-group X, but as i told, if u OR'ing this condition with Logical-profile to match Y (l.s. Harhschmann devices) then u will never hit matching identity-group X if corresponding endpoint's Logical-profile is Unknown.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide