cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2143
Views
5
Helpful
4
Replies

ISE 2.3 patch 2 - Policy set rule does not match rule with custom logical profile.

Rodrigo Gurriti
Level 3
Level 3

Hello,

 

Just found something odd. 

 

Custom profile for a few printers.

I then added them to a logical profile.

Created a policy for them.

 

Tested the printers, they get the profiled.

They show up on the logical profile, I can see all MAC addresses. 

They match the policy. Life is great!

 

A couple days later they don't match anymore. The policy because ISE doesn't see match the logical profile. 

Other policies using logical profile are OK

I re-did all the profile policies, logical profile and policy set. It works, but if there is a re-auth they will not match anymore.

I also noticed that the ISE cannot get information from the logical profile. 

Untitled.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

TAC does not know what is going on, but I work around by creating a policy matching on the profiled device instead of the logical profile and it works. 

 

PS. I have other custom logical profiles and they work just fine. 

 

Has anyone seen this before? 

4 Replies 4

Hi  Rodrigo

I have the same ISE version with the same patch level (Cisco ISE 2.3 Patch2) but I don't use logical profiles I normally use Profiling Policies with Policy Enabled option and use them in Conditions under Authorization rules.

I use Profiling Policies mostly for dynamic assignment (Profiling) and Static assignment via Endpoint group it always work perfectly fine. (Printers, AVAYA IP phones, Cisco AP, CCTV Camera,...etc)

Can you I just ask what the requirement that mandate you to use Logical profile ? 

 

Here is a sample of an Avaya IP Phone normal reauthentication repeated logs

5.png

I have to group several devices that will use MAB, and give a single authorization policy.

 

TAC got it fixed, we are monitoring. We had to install patch 3 because of another bug and after the re-start, logical profiles on ISE started to work. 

 

We were not able to troubleshoot the problem very well because there was another bug impacting the log creation and without a log, we were not able to troubleshoot. 

Hi Rodrigo

Great to hear you issue got fixed. BTW, i'm upgrading this week to patch 3 as well as i have hit 2 bugs already  one of them is the one you mentioned above about log creation (CSCvg30444)

Anyway it was TAC recommendation in my case to apply patch 3 

Hi Mohamed,
Yes, that was one of the bugs we hit here as well, glad it is fixed!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: