cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3854
Views
6
Helpful
6
Replies

ISE 2.3.0.298 - CSV Import/Export of custom Endpoint Identity Groups doesn't work

Mark DeLong
Level 4
Level 4

When you export endpoints in a CSV file if an endpoint is assigned to a custom identity endpoint group then their "IdentityGroup" column will be blank in the exported CSV. If they are assigned to a "Built-in" group then it will show up in their IdentityGroup column correctly.

When importing endpoints via CSV file if you try to use a custom identity group in the "IdentityGroup" column of any of the hosts the import will fail with a message of the identity group being "invalid". If you assign the hosts to a built-in identity group the import works fine.

Due to this issue I had to assign a bunch of endpoints to their custom group manually.

1 Accepted Solution

Accepted Solutions

Mark DeLong
Level 4
Level 4

So I updated to Patch 2 and this fixed the issue. After this exports show the custom endpoint identity groups for endpoints and you can import custom groups successfully. So this is definitely a bug that is fixed in either patch 1 or 2. Thanks for everyones suggestions.

Also, as chyps mentioned I am definitely seeing a lag between the endpoints being assigned to an identity group and that showing up in context visibility as well as the export of endpoints. When I first patched the deployment I could export the 400 endpoints i have entered from my first site and out of them about 250 have been assigned to an endpoint group but only about 40 showed it. Now about two days later about 150 are showing a group. So I expect within a few days they will all accurately show there group. I'm pretty confident this is a replication lag between the databases though because 4 hosts still show themselves in a test group that I put them in briefly just for testing purposes and then moved them to another group.

Thanks again for both of your guys help!!

Mark DeLong

View solution in original post

6 Replies 6

Jason Kunst
Cisco Employee
Cisco Employee

Please log a bug through the tac and get attached to your case

I was not able to duplicate under ISE 2.3 P1 and critical P2 patch is already released.

Please note that each endpoint can only be a member of one Identity Group.  Validate that the endpoint in question shows correct Identity Group from Context Visibility.  I would also drill down into endpoint details and validate assignment.  Since there were known issues with Context Visibility, need to make sure it is not a matter that the Oracle database and Context Visibility database in sync.  There are options from PAN CLI (application configure ise) to resync that may help.

Thanks for the suggestions! I don't believe it is related to some of the cosmetic bugs I've seen with Context Visibility as I have checked it from the endpoint details as well as the endpoint identity group. Also, as far as only being a member of one endpoint identity group it is my understanding from the documentation that when you import hosts that already have an endpoint identity group then it is overwritten by what you imported. That all said, I have ran into a ton of bugs on the initial release of 2.3 so I patched this deployment up to patch 2 this evening. I will check tomorrow if this fixed the import/export issue and update this thread. Thanks again!

Thanks for the suggestion, Jason! Unfortunately, I'm a partner that is installing this for a end customer and my CCO doesn't have an ISE entitlement and I don't want to bug my customer over this currently as I have a work around. Also, I'm not sure I would want to burn the time with TAC anyway on this just to report an obvious bug. If there was an easier way to report the bug to Cisco with little involvement on my side (i.e. TAC can lab it up themselves and work with the BU on it without involving me) I would be fine with that. But I don't see that happening from my past experience. If there is a new process to report bugs without much customer involvement that you know of please let me know!

You get best results working with tac to attach defect to a case so that development can see the issue and work on it

Mark DeLong
Level 4
Level 4

So I updated to Patch 2 and this fixed the issue. After this exports show the custom endpoint identity groups for endpoints and you can import custom groups successfully. So this is definitely a bug that is fixed in either patch 1 or 2. Thanks for everyones suggestions.

Also, as chyps mentioned I am definitely seeing a lag between the endpoints being assigned to an identity group and that showing up in context visibility as well as the export of endpoints. When I first patched the deployment I could export the 400 endpoints i have entered from my first site and out of them about 250 have been assigned to an endpoint group but only about 40 showed it. Now about two days later about 150 are showing a group. So I expect within a few days they will all accurately show there group. I'm pretty confident this is a replication lag between the databases though because 4 hosts still show themselves in a test group that I put them in briefly just for testing purposes and then moved them to another group.

Thanks again for both of your guys help!!

Mark DeLong

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: