Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1365
Views
30
Helpful
2
Replies

ISE 2.1 Unknown endpoint profile impact on compound AuthZ condition

andy!doesnt!like!uucp
Spotlight
Spotlight

‎10-02-2021 03:47 AM

Hello

not sure if it was documented anywhere. recently i met "feature" within ISE 2.1 latest patch where if u configure compound condition OR'ing endpoints:logicalprofile with identitygroup:name then during AuthZ of endpoint with logical profile of Unknown condition will never match even if endpoint's static identity-group 200% matches.

keep n eye  

2 Replies 2

Arne Bier
VIP
VIP

‎10-17-2021 01:43 PM

Hi @andy!doesnt!like!uucp 

 

sounds like a bug to me - I haven't had the need to match on Unknown Endpoint Identity Group. BTW, in ISE 3.1 I was unable to find an Logical Profile of "Unknown". I believe that in the Policy Set logic, 'Unknown' only works with the Endpoint Identity Group. Despite the fact that the Report shows the endpoint as being matched to "Unknown Policy Profile".

 

At least in ISE 3.1 I was able to get a match when I used "Unknown Endpoint" in an Authorization rule. 

 

Identity Group Name EQUALS Endpoint Identity Group: Unknown

 

ISE 2.1? Upgrade?

 

 

 

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to Arne Bier

‎10-17-2021 10:21 PM

Hi Arne

to meet issue u dont need trying to match endpoint-profile to Unknow. u just try to match membership in Identity-group X, but as i told, if u OR'ing this condition with Logical-profile to match Y (l.s. Harhschmann devices)  then u will never hit matching identity-group X if corresponding endpoint's Logical-profile is Unknown.

 

Customers Also Viewed These Support Documents